httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Updated draft announcement apache.
Date Fri, 06 Nov 2009 22:13:14 GMT
With some feedback from various folks.



Apache httpd is affected by CVE-2009-3555[1] (The SSL Injectin or MiM 

We strongly urge you to upgrade to OpenSSL 0.9.8l; and be prepared to 
deploy 0.9.8m as it becomes available[3,4]. Note that these are short 
term and mid-term mitigation; the long term solution may well require a 
modification of the SSL and/or TLS protocols[5].

For those who are not able to upgrade swiftly and/or for those who need 
detailed logging - we recommend that you roll out this patch (URL) as 
soon as possible.

If you are unable to patch and unable to roll our a newer version of 
OpenSSL, and you rely on Client Side Authentication with Certificates 
then we recommend that you ensure that you limit your configuratin to a 
single 'SSLClient require'at VirtualHost/Sever level and remove
all other (re)negotiation changes. However this does NOT fully protect 
you - it just curtails authentication in this specific setting.

A version with this patch, Apache 2.2.15, is currently beeing 
readied[4]; there are no plans for a backport to 1.3.X at this time. A 
further announcement will be sent out when these are available.

    openssl-announce mailing list on

View raw message