httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: Mini-advisory on heartbeat bug on ?
Date Fri, 11 Apr 2014 12:40:33 GMT
On Fri, Apr 11, 2014 at 8:38 AM, Jeff Trawick <> wrote:

> SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f
> are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."
> No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server
> configuration change besides disabling SSL/TLS completely can resolve this.
> Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat
> extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required.

"SSLv2 and SSLv3 are not vulnerable to CVE-2014-0160, but limiting the
configuration to one or both of those protocols is not recommended for
other reasons."

> If you obtain OpenSSL in binary form with or without Apache HTTP Server,
> contact the supplier of the binary for resolution. If you build OpenSSL
> yourself, refer to the OpenSSL project for further information, including
> the advisory at .
> Have binaries which included an affected level of OpenSSL ever been
> distributed from our site?
> I don't see anything from the release/httpd/binaries/win32 directory in
> the output of svn log -v | grep openssl . (Is that the right check?)
> --
> Born in Roswell... married an alien...

Born in Roswell... married an alien...

View raw message