httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: TLS renegotiation attack, mod_ssl and OpenSSL
Date Fri, 06 Nov 2009 21:58:32 GMT
So what are the next steps here ?

-	Joe's patch is final.

-	Give the community the advice 'immediately' - with a website
	update and an email to announce:

	Apache httpd is affected by CVE-XXXX (The SSL Injectin
	or MiM attack).

	We strongly urge you to upgrade to OpenSSL 0.9.8l; and be
	prepared to deploy 0.9.8m as it becomes available.

	For those who are not able to upgrade swiftly and/or for those
	who need detailed logging - we recommend that you roll out
	this patch (URL) as soon as possible.

	If you are unable to patch and unable to roll our a newer
	version of OpenSSL then we recommend that you ensure that
	you limit your configuratin to a single 'SSLClient require'
	or 'SSLClient none' at VirtualHost/Sever level and remove
	all other (re)negotiation changes. However this does NOT
	fully protect you - it just curtails authentication.

	A version with this patch, Apache 2.2.15, is currently
	beeing readied; there are no plans for a backport to
	1.3.X at this time.

-	Check how much we have on the roster in - and either release
	a 2.x with just this CVE - or a more wrapped up one ?

Do we need to backport this for the 1.3.42 branch ?



View raw message