httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ?
Date Fri, 11 Apr 2014 16:05:29 GMT
On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick <trawick@gmail.com> wrote:

> On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan <
> rainer.canavan@sevenval.com> wrote:
>
>>
>> On Apr 11, 2014, at 14:38 , Jeff Trawick <trawick@gmail.com> wrote:
>>
>> > SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL
>> 1.0.1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."
>> >
>> > No Apache HTTP Server fix is needed to resolve this; no Apache HTTP
>> Server configuration change besides disabling SSL/TLS completely can
>> resolve this.  Instead, a patch to OpenSSL, a rebuild of OpenSSL with the
>> TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or
>> later is required.
>> >
>> > If you obtain OpenSSL in binary form with or without Apache HTTP
>> Server, contact the supplier of the binary for resolution.  If you build
>> OpenSSL yourself, refer to the OpenSSL project for further information,
>> including the advisory at http://www.openssl.org/news/secadv_20140407.txt.
>>
>> mod_spdy comes bundled with a script that builds mod_ssl.so with a
>> statically linked
>> OpenSSL. Other people may have done the same, or even with a mod_ssl
>> built statically
>> into apache. For those, just updating OpenSSL may be insufficient to fix
>> the heartbleed
>> bug.
>>
>> rainer
>
>
>
> Hmmm...  mod_ssl could be linked statically with OpenSSL, mod_spdy or not.
>  Yeah it is more complicated, but that makes it even more useful to explain.
>
> --/--
>
> httpd and mod_ssl must be rebuilt with the new OpenSSL when OpenSSL is
> statically linked with mod_ssl.  Note:  The build of mod_spdy may rebuild
> mod_ssl in this manner.
>
> If you are using a commercial product based on Apache HTTP Server, consult
> the vendor for information about the applicability of CVE-2014-0160 to
> your server.  If you are otherwise using mod_ssl or a replacement for it
> from a third party, consult the third party for more information.  If your
> third-party module build rebuilds mod_ssl (e.g., mod_spdy), consult the
> vendor for more information.
>
> --
> Born in Roswell... married an alien...
> http://emptyhammock.com/
> http://edjective.org/
>
>
I'll leave it at this (plus any subsequent fixes):

http://emptyhammock.blogspot.com/2014/04/apache-http-server-and-cve-2014-0160-so.html

If anyone wants http://httpd.apache.org to have something similar, we can
move/improve the text on my blog.

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Mime
View raw message