httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Görkem Durğüt <gdur...@bkm.com.tr>
Subject [users@httpd] OpenSSL version in Apache 2.2.23
Date Fri, 21 Sep 2012 07:28:31 GMT
Hi,

While the latest build was 2.2.22 for the 2.2.x version, some vulnerabilities were found in
OpenSSL version 0.9.8t which was existing in the official "Win32 Binary including OpenSSL
0.9.8t (MSI Installer)" bundle. I have waited the new version which is 2.2.23 but it still
have not included the latest OpenSSL version in its SSL bundle.

I am a security guy, not the application server staff. I want my application server staff
to aplly the patch to upgrade OpenSSL verion to 0.9.8v which eliminates 3 OpenSSL vulnerabilities.
Thus, I have the following questions:


1.       Why have not Apache included the latest OpenSSL version in the newly released 2.2.23
version? I have read somewhere that the latest OpenSSL version is included while releasing
new version.

2.       Is tehre an official bundle for 2.2.23 including OpenSSL 0.9.8v.

3.       Is there a patch for apache httpd to upgrade only its OpenSSL module (currently we
have the 2.2.22 version on Windows server). The patch may be applied for 2.2.22 or 2.2.23

PS: Related OpenSSL vulnerabilities are as following:

·         http://www.openssl.org/news/secadv_20120312.txt

·         http://www.openssl.org/news/secadv_20120419.txt

·         http://www.openssl.org/news/secadv_20120510.txt

Please help.

Thanks & Regards,
Gorkem

Mime
View raw message