httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gorkem Durgut <gorkem...@yahoo.com>
Subject [users@httpd] Re: Apache 2.2.x and CVE-2012-2333
Date Tue, 25 Dec 2012 14:26:11 GMT
Hi all,

Any idea on this issue?

Related to this issue, when will a person volunteer for windows version of Apache httpd 2.2.23 (hoping
this will include the latest OpenSSL 0.9.8x version) ? Still waiting for more than 3 months
for windows version. Any "voluntary" help that will be published on official site will be
very appreciated by many users.

Regards,
Gorkem



>________________________________
> From: Gorkem Durgut <gorkemdur@yahoo.com>
>To: "users@httpd.apache.org" <users@httpd.apache.org> 
>Sent: Thursday, December 20, 2012 11:33 AM
>Subject: Apache 2.2.x and CVE-2012-2333
> 
>
>Hi,
>
>
>I am questioning if Apache 2.2.22 with OpenSSL 0.9.8t is affected by CVE-2012-2333 (OpenSSL
Invalid TLS/DTLS Record Denial of Service Vulnerability)?
>
>
>You may find the details of the vulnerability here: http://www.openssl.org/news/secadv_20120510.txt
>
>
>Here, it says that "DTLS applications are affected in all versions of OpenSSL. TLS is
only affected in OpenSSL 1.0.1 andlater."
>
>
>I do not have deeper knowledge about protocols but I think as follows: DTLS means TLS
for datagram packets so it means http does not use DTLS, right? On the other hand, TLS is
affected in OpenSSL 1.0.1 and later which means 0.9.8-related version is not affected, right?
>
>
>Thus, can I imply that OpenSSL 0.9.8t version used with Apache httpd 2.2.22 is not affected
with this vulnerability?
>
>
>Can anybody comment on this issue? Is Apache 2.2.22 with OpenSSL 0.9.8t afected by CVE-2012-2333?
>
>
>
>
>Thanks & Regards,
>Gorkem
>
>
Mime
View raw message