httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rainer M. Canavan" <rainer.cana...@sevenval.com>
Subject Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?
Date Fri, 11 Apr 2014 12:56:51 GMT

On Apr 11, 2014, at 14:38 , Jeff Trawick <trawick@gmail.com> wrote:

> SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f are vulnerable
to CVE-2014-0160, the so called "Heartbleed Bug."
> 
> No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server configuration
change besides disabling SSL/TLS completely can resolve this.  Instead, a patch to OpenSSL,
a rebuild of OpenSSL with the TLS Heartbeat extension disabled, or an upgrade of OpenSSL to
1.0.1g or later is required.
> 
> If you obtain OpenSSL in binary form with or without Apache HTTP Server, contact the
supplier of the binary for resolution.  If you build OpenSSL yourself, refer to the OpenSSL
project for further information, including the advisory at http://www.openssl.org/news/secadv_20140407.txt
.

mod_spdy comes bundled with a script that builds mod_ssl.so with a statically linked 
OpenSSL. Other people may have done the same, or even with a mod_ssl built statically
into apache. For those, just updating OpenSSL may be insufficient to fix the heartbleed
bug. 

rainer
Mime
View raw message