httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: Mini-advisory on heartbeat bug on ?
Date Fri, 11 Apr 2014 14:18:19 GMT
On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan <> wrote:

> On Apr 11, 2014, at 14:38 , Jeff Trawick <> wrote:
> > SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL
> 1.0.1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."
> >
> > No Apache HTTP Server fix is needed to resolve this; no Apache HTTP
> Server configuration change besides disabling SSL/TLS completely can
> resolve this.  Instead, a patch to OpenSSL, a rebuild of OpenSSL with the
> TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or
> later is required.
> >
> > If you obtain OpenSSL in binary form with or without Apache HTTP Server,
> contact the supplier of the binary for resolution.  If you build OpenSSL
> yourself, refer to the OpenSSL project for further information, including
> the advisory at .
> mod_spdy comes bundled with a script that builds with a
> statically linked
> OpenSSL. Other people may have done the same, or even with a mod_ssl built
> statically
> into apache. For those, just updating OpenSSL may be insufficient to fix
> the heartbleed
> bug.
> rainer

Hmmm...  mod_ssl could be linked statically with OpenSSL, mod_spdy or not.
 Yeah it is more complicated, but that makes it even more useful to explain.


httpd and mod_ssl must be rebuilt with the new OpenSSL when OpenSSL is
statically linked with mod_ssl.  Note:  The build of mod_spdy may rebuild
mod_ssl in this manner.

If you are using a commercial product based on Apache HTTP Server, consult
the vendor for information about the applicability of CVE-2014-0160 to your
server.  If you are otherwise using mod_ssl or a replacement for it from a
third party, consult the third party for more information.  If your
third-party module build rebuilds mod_ssl (e.g., mod_spdy), consult the
vendor for more information.

Born in Roswell... married an alien...

View raw message