httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gorkem Durgut <gorkem...@yahoo.com>
Subject [users@httpd] Apache 2.2.x and CVE-2012-2333
Date Thu, 20 Dec 2012 09:33:14 GMT
Hi,

I am questioning if Apache 2.2.22 with OpenSSL 0.9.8t is affected by CVE-2012-2333 (OpenSSL
Invalid TLS/DTLS Record Denial of Service Vulnerability)?

You may find the details of the vulnerability here: http://www.openssl.org/news/secadv_20120510.txt

Here, it says that "DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 andlater."

I do not have deeper knowledge about protocols but I think as follows: DTLS means TLS for
datagram packets so it means http does not use DTLS, right? On the other hand, TLS is affected
in OpenSSL 1.0.1 and later which means 0.9.8-related version is not affected, right?

Thus, can I imply that OpenSSL 0.9.8t version used with Apache httpd 2.2.22 is not affected
with this vulnerability?

Can anybody comment on this issue? Is Apache 2.2.22 with OpenSSL 0.9.8t afected by CVE-2012-2333?


Thanks & Regards,
Gorkem
Mime
View raw message