Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C278610189 for ; Fri, 11 Apr 2014 16:05:59 +0000 (UTC) Received: (qmail 51052 invoked by uid 500); 11 Apr 2014 16:05:57 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 51004 invoked by uid 500); 11 Apr 2014 16:05:55 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 50995 invoked by uid 99); 11 Apr 2014 16:05:54 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Apr 2014 16:05:54 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of trawick@gmail.com designates 209.85.215.50 as permitted sender) Received: from [209.85.215.50] (HELO mail-la0-f50.google.com) (209.85.215.50) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Apr 2014 16:05:50 +0000 Received: by mail-la0-f50.google.com with SMTP id pv20so3757744lab.9 for ; Fri, 11 Apr 2014 09:05:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ZvNiRNwLVodVFZVTh6Ob6xqKKruvdqiLj9zyMuDWNJU=; b=KBucGKh4Neb8qx4Z24GvB1lLwMdmWNEv12i6v2xDaVSHrEBGgVEcxieb83aDGnxuxv qfm1iOunZibpx1DqfpSiH2tn8QV3h6dP8zfkpM+FkctJ5pDVDKi4LDlX4gR/WYhtjQ+E irMamkXpL9jUiNSwvswGqLrfLG9GUzbNsVe1ixVomIV0cWOQIM9wRnu9gPQyZgQzH9Pz oT4TQWXrUmrL6RhY+t0xWtuGySFhhOfvOIucAbiXMKEmaOhGBBkZTvZxOeqeFl1Keuai Q6zhYQcJweUyCRhsyAClmXWixs1z/QVXWQ822DdbZZOlrsMjeHeDHqTHgfHJU+AouQrN w7JA== MIME-Version: 1.0 X-Received: by 10.152.26.66 with SMTP id j2mr17435939lag.25.1397232329480; Fri, 11 Apr 2014 09:05:29 -0700 (PDT) Received: by 10.114.170.132 with HTTP; Fri, 11 Apr 2014 09:05:29 -0700 (PDT) In-Reply-To: References: <513137F2-B000-41FB-BF65-FDF4135C9A73@sevenval.com> Date: Fri, 11 Apr 2014 12:05:29 -0400 Message-ID: Subject: Re: Mini-advisory on heartbeat bug on http://httpd.apache.org/ ? From: Jeff Trawick To: Apache HTTP Server Development List Content-Type: multipart/alternative; boundary=089e0160be54aadfe204f6c6802a X-Virus-Checked: Checked by ClamAV on apache.org --089e0160be54aadfe204f6c6802a Content-Type: text/plain; charset=ISO-8859-1 On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick wrote: > On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan < > rainer.canavan@sevenval.com> wrote: > >> >> On Apr 11, 2014, at 14:38 , Jeff Trawick wrote: >> >> > SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL >> 1.0.1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug." >> > >> > No Apache HTTP Server fix is needed to resolve this; no Apache HTTP >> Server configuration change besides disabling SSL/TLS completely can >> resolve this. Instead, a patch to OpenSSL, a rebuild of OpenSSL with the >> TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or >> later is required. >> > >> > If you obtain OpenSSL in binary form with or without Apache HTTP >> Server, contact the supplier of the binary for resolution. If you build >> OpenSSL yourself, refer to the OpenSSL project for further information, >> including the advisory at http://www.openssl.org/news/secadv_20140407.txt. >> >> mod_spdy comes bundled with a script that builds mod_ssl.so with a >> statically linked >> OpenSSL. Other people may have done the same, or even with a mod_ssl >> built statically >> into apache. For those, just updating OpenSSL may be insufficient to fix >> the heartbleed >> bug. >> >> rainer > > > > Hmmm... mod_ssl could be linked statically with OpenSSL, mod_spdy or not. > Yeah it is more complicated, but that makes it even more useful to explain. > > --/-- > > httpd and mod_ssl must be rebuilt with the new OpenSSL when OpenSSL is > statically linked with mod_ssl. Note: The build of mod_spdy may rebuild > mod_ssl in this manner. > > If you are using a commercial product based on Apache HTTP Server, consult > the vendor for information about the applicability of CVE-2014-0160 to > your server. If you are otherwise using mod_ssl or a replacement for it > from a third party, consult the third party for more information. If your > third-party module build rebuilds mod_ssl (e.g., mod_spdy), consult the > vendor for more information. > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ > http://edjective.org/ > > I'll leave it at this (plus any subsequent fixes): http://emptyhammock.blogspot.com/2014/04/apache-http-server-and-cve-2014-0160-so.html If anyone wants http://httpd.apache.org to have something similar, we can move/improve the text on my blog. -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/ --089e0160be54aadfe204f6c6802a Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On F= ri, Apr 11, 2014 at 10:18 AM, Jeff Trawick <trawick@gmail.com> wrote:
On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canav= an <rainer.canavan@sevenval.com> wrote:

On Apr 11, 2014, at 14:38 , Jeff Trawick <trawick@gmail.com> wrote:

> SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.= 1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug.&q= uot;
>
> No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Se= rver configuration change besides disabling SSL/TLS completely can resolve = this. =A0Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Hea= rtbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is r= equired.
>
> If you obtain OpenSSL in binary form with or without Apache HTTP Serve= r, contact the supplier of the binary for resolution. =A0If you build OpenS= SL yourself, refer to the OpenSSL project for further information, includin= g the advisory at http://www.openssl.org/news/secadv_20140407.txt .<= br>
mod_spdy comes bundled with a script that builds mod_ssl.so with a st= atically linked
OpenSSL. Other people may have done the same, or even with a mod_ssl built = statically
into apache. For those, just updating OpenSSL may be insufficient to fix th= e heartbleed
bug.

rainer


Hmmm... =A0mod_s= sl could be linked statically with OpenSSL, mod_spdy or not. =A0Yeah it is = more complicated, but that makes it even more useful to explain.

--/--
=
httpd and mod_ssl must be rebuilt with= the new OpenSSL when OpenSSL is statically linked with mod_ssl. =A0Note: = =A0The build of mod_spdy may rebuild mod_ssl in this manner.

If you are = using a commercial product based on Apache HTTP Server, consult the vendor = for information about the applicability of=A0CVE-2014-0160 to your se= rver. =A0If you are otherwise using mod_ssl or a replacement for it = from a third party, consult the third party for more information. =A0If you= r third-party module build rebuilds mod_ssl (e.g., mod_spdy), consult the v= endor for more information.

--
Born in Roswell... married an alien...
http://emptyhammock.com/

I'll leave it a= t this (plus any subsequent fixes):

http://emptyhammock.bl= ogspot.com/2014/04/apache-http-server-and-cve-2014-0160-so.html

If anyone w= ants http://httpd.apache.org to hav= e something similar, we can move/improve the text on my blog.

<= /div> --
Born in Roswell... married an alien...
http://emptyhammock.com/

--089e0160be54aadfe204f6c6802a--