httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From BFinkel...@aaamissouri.com
Subject Re: [users@httpd] Upgrading OpenSSL without upgrading Apache. Can it be done???
Date Tue, 24 Apr 2012 21:05:44 GMT
Great thanks for the info!

Where can I find out when apache.org will be bundling the latest version 
of OpenSSL with apache?  PCI compliance calls for using level "u" as of 
today.


Brad Finkeldei




"William A. Rowe Jr." <wrowe@rowe-clan.net> 
04/24/2012 03:49 PM
Please respond to
users@httpd.apache.org


To
users@httpd.apache.org
cc

Subject
Re: [users@httpd] Upgrading OpenSSL without upgrading Apache.  Can it be 
done???






On 4/24/2012 3:09 PM, TFML wrote:
> I'm assuming you're using some sort of Windows operating system.  I 
haven't done one in a
> few years, but I would assume the 1.0 version
> from http://slproweb.com/products/Win32OpenSSL.html should work like 
installing any other
> Windows Installer.  If someone else can't answer this, I'd suggest 
setting up a virtual
> environment and giving it a try before doing it on a production system.

Just as on unix, you can never drop in a x.y.n change with a new x value.
That's called a major bump and usually does not work.

OP could obtain a 0.9.8X flavor later than 0.9.8t and aught to be fine so 
long
as no special build options were changed, and it was built to run against
msvcrt.dll (the *system* c library).  It's the same quandry as on Ubuntu 
with
glibc vs eglibc packages.

If OP reviewed the patch release notes, they would be aware that an 
upgrade
is unnecessary between 0.9.8t and 0.9.8w for anyone running httpd 2.2. The
new features in httpd 2.4 were vulnerable to issues there, however.





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



Mime
View raw message