Mike Busse wrote:
> OK, so I know about the openssl exploit that is out now.  I also know that
> I should be running openssl 0.9.6g to fix this problem.
> 
>> My question or delema... Since I have RedHat's version of openssl (0.9.6b)
> and they say its been fixed, do I still update it and use the openssl
> 0.9.6g from openssl.org's site or not?
> 

They could have easily ported the fix back to 0.9.6b.  I'd say don't do 
the 0.9.6g upgrade from source unless you have a need.  You can also 
turn off access to the exploit by disabling SSLv2 in apache.

Look for a line with SSLCipherSuite, it'll look something like
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:!SSLv2

if it has +SSLv2 in it change that to !SSLv2, if not add :!SSLv2 to the 
end of that line.

This "fix" is mentioned toward the bottom of the CERT annoucement for 
this exploit.  It's basically for situations where you can't easily 
upgrade to a newer version of the library.

Eric