Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 51214 invoked from network); 9 Feb 2011 09:40:55 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 9 Feb 2011 09:40:55 -0000 Received: (qmail 51786 invoked by uid 500); 9 Feb 2011 09:40:55 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 51458 invoked by uid 500); 9 Feb 2011 09:40:52 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 51449 invoked by uid 99); 9 Feb 2011 09:40:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Feb 2011 09:40:52 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Feb 2011 09:40:51 +0000 Received: from thor.apache.org (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id p199eVg4021741 for ; Wed, 9 Feb 2011 09:40:31 GMT Received: (from daemon@localhost) by thor.apache.org (8.13.8+Sun/8.13.8/Submit) id p199eV9A021735; Wed, 9 Feb 2011 04:40:31 -0500 (EST) Date: Wed, 9 Feb 2011 04:40:31 -0500 (EST) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 50741] New: Detect when the OpenSSL runtime library is vulnerable to CVE-2011-0014 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_ssl X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: rob@comodo.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 https://issues.apache.org/bugzilla/show_bug.cgi?id=50741 Summary: Detect when the OpenSSL runtime library is vulnerable to CVE-2011-0014 Product: Apache httpd-2 Version: 2.3-HEAD Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: mod_ssl AssignedTo: bugs@httpd.apache.org ReportedBy: rob@comodo.com http://www.openssl.org/news/secadv_20110208.txt reports that the following OpenSSL versions are vulnerable: - OpenSSL 0.9.8h through 0.9.8q - OpenSSL 1.0.0 through 1.0.0c I propose that mod_ssl should call SSLeay() when httpd starts up. If a vulnerable OpenSSL version is detected, a suitable warning should be logged. Hopefully this will prompt webmasters to upgrade OpenSSL to a patched version. With regard to Bug 50740 (Enable OCSP Stapling by default), I suggest that OCSP Stapling should not be enabled by default when a vulnerable OpenSSL version is detected. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org