httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?
Date Fri, 11 Apr 2014 12:40:33 GMT
On Fri, Apr 11, 2014 at 8:38 AM, Jeff Trawick <trawick@gmail.com> wrote:

> SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f
> are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."
>
> No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server
> configuration change besides disabling SSL/TLS completely can resolve this.
> Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat
> extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required.
>

"SSLv2 and SSLv3 are not vulnerable to CVE-2014-0160, but limiting the
configuration to one or both of those protocols is not recommended for
other reasons."


>
> If you obtain OpenSSL in binary form with or without Apache HTTP Server,
> contact the supplier of the binary for resolution. If you build OpenSSL
> yourself, refer to the OpenSSL project for further information, including
> the advisory at http://www.openssl.org/news/secadv_20140407.txt .
>
>
> XXXX
>
> Have binaries which included an affected level of OpenSSL ever been
> distributed from our site?
>
> I don't see anything from the release/httpd/binaries/win32 directory in
> the output of svn log -v | grep openssl . (Is that the right check?)
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
> http://edjective.org/
>
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Mime
View raw message