httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: [users@httpd] Upgrading OpenSSL without upgrading Apache. Can it be done???
Date Tue, 24 Apr 2012 21:21:32 GMT
On 4/24/2012 4:05 PM, BFinkeldei@aaamissouri.com wrote:
> 
> Great thanks for the info!
> 
> Where can I find out when apache.org will be bundling the latest version of OpenSSL with
> apache?  PCI compliance calls for using level "u" as of today.

If you had read the notices from the OpenSSL project you would be aware
that the particular flaws in openssl 0.9.8 .u, .v and .w do not pertain
to the operation or deployment of httpd 2.2.x.  They do apply to the
operation of httpd 2.4, and adminstrators of 2.4 should upgrade ASAP.
(And if you were running 2.3-beta, upgrading httpd to 2.4 would be a very
wise move as well for httpd security flaws).

AFAIK only the windows binary 'bundles' openssl.  As that binary is not
affected it will not be updated, certainly not unless an httpd 2.2.23 is
released.

The ASF provides binaries only as a convenience and at our leisure; if
you are professionally responsible for an installation of httpd, openssl
and so forth which you refuse to compile yourself, you would probably
benefit from contracting for the services you are demanding.  The ASF
is here to collaboratively produce source code.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message