httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Mini-advisory on heartbeat bug on ?
Date Fri, 11 Apr 2014 12:38:43 GMT
SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f
are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."

No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server
configuration change besides disabling SSL/TLS completely can resolve this.
Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat
extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required.

If you obtain OpenSSL in binary form with or without Apache HTTP Server,
contact the supplier of the binary for resolution. If you build OpenSSL
yourself, refer to the OpenSSL project for further information, including
the advisory at .


Have binaries which included an affected level of OpenSSL ever been
distributed from our site?

I don't see anything from the release/httpd/binaries/win32 directory in the
output of svn log -v | grep openssl . (Is that the right check?)

Born in Roswell... married an alien...

View raw message