mod_ssl 2.8.31 PCI problem

Brandon Allbery allbery.b at
Mon Jun 11 15:22:24 PDT 2012

On Mon, Jun 11, 2012 at 6:01 PM, Tony Miller <tmiller at> wrote:

> I'm having a PCI compliance issue regarding apache 2.2.22 and mod_ssl
> 2.8.31. My security vendor says there is an issue with mod_ssl 2.2.22,
> which is the current installed version.

Does your security vendor understand the difference between the mod_ssl
that is included with Apache 2.x and the external one that was used with
Apache 1.3?  The latter is at 2.8.31 but is *only* for obsolete Apache 1.x.

The mod_ssl that comes with Apache 2 always has the same version as the
Apache it comes with.  Since 2.2.22 is the latest in the Apache 2.2 series,
your vendor is claiming that Apache 2.2.22 has an unpatched vulnerability.
 (The absolute latest one in the 2.x series is 2.4.2, which of course ships
with a mod_ssl that is also 2.4.2.)

Based on the evidence so far, I suggest your security vendor is confused.

brandon s allbery                                      allbery.b at
wandering unix systems administrator (available)     (412) 475-9364 vm/sms
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the macports-users mailing list