Author |
|
nicklowe
Joined: 15 Apr 2007 Posts: 8
|
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Tue 08 Apr '14 10:27 Post subject: |
|
|
Yes, that is absolutely critical!!!
Pls support us with a new version.
Thanks! |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Tue 08 Apr '14 11:19 Post subject: |
|
|
VC11 build updated with OpenSSL 1.0.1g, VC9 and Vc10 follows |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Tue 08 Apr '14 13:45 Post subject: |
|
|
The new version runs like a charm!
Thanks! |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Tue 08 Apr '14 19:45 Post subject: |
|
|
Is not it just enough to replace the 1.0.1f dll's (ssleay32.dll & libeay32.dll) by the 1.0.1g versions? That would be a quick fix with almost no downtime needed. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Tue 08 Apr '14 20:37 Post subject: |
|
|
On a Win2k8 server with Apache 2.4 VC9 OpenSSL 1.0.1f this test results in 'Your server appears to be unaffected.'
On a Centos 6.5 server Apache 2.4 with a patched OpenSSL 1.0.1e the test states 'Your server appears to be patched against this bug.'
Did anyone get a positive result (=affected) from this test, especially on Windows servers? |
|
Back to top |
|
lambacck
Joined: 18 Dec 2008 Posts: 3 Location: Burlington, Ontario, Canada
|
Posted: Tue 08 Apr '14 20:40 Post subject: |
|
|
Jan-E:
I have heard reports that some testing tools are unreliable (showing not vulnerable) due to load. I got a failing result using the ssl labs test ( https://www.ssllabs.com/ssltest) earlier today for a 2.2 build from this site.
-Chris |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Tue 08 Apr '14 22:22 Post subject: |
|
|
Jan-E wrote: |
Did anyone get a positive result (=affected) from this test, especially on Windows servers? |
Yepp I did! I did the test before and after patching. On the first one I got a positive result.
For example netfisca fr still is affected |
|
Back to top |
|
jraute
Joined: 13 Sep 2013 Posts: 188 Location: Rheinland, Germany
|
Posted: Tue 08 Apr '14 22:50 Post subject: |
|
|
Yes, we had positive results before and negative results after patching - so openssl 1.0.1g works.
Btw security can only be provided by exchanging the keys!!!
(Who can prove/confirm that the private key(s) have not been compromised in the past?) |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Tue 08 Apr '14 23:01 Post subject: |
|
|
The possible.tv test was very specific in its error messages, which made it credible.
However, SSLlabs said my Win2K8 server was vulnerable. I took Apache down for a few moments and replaced the ???eay32.dll's. After this action SSLlabs said that the server was not vulnerable anymore. Replacing htr DLL's proved to be a quick fix... |
|
Back to top |
|
Tina
Joined: 23 Jan 2014 Posts: 5
|
Posted: Wed 09 Apr '14 8:04 Post subject: Apache 2.4 win32 VC10 |
|
|
I would urgently need Apache 2.4 win32 VC10 updated but when I go on download page it still says it uses the openssl version openssl-1.0.1f
Do you have some kind of time schedule when you have a update for this so I can somehow decide how to proceed?
Thanks a lot.
/edit: oops sorry, accidentally posted two times |
|
Back to top |
|
nightmare11at
Joined: 09 Apr 2014 Posts: 1
|
Posted: Wed 09 Apr '14 12:03 Post subject: |
|
|
Ok, i am running apache 2.4.6 on a Windows Server 2008 R2 (x64). I patched the Vulnerabilty by just replacing the 3 files:
libeay32.dll
ssleay32.dll
openssl.exe
in the \Apache\bin\ directory
You can download the the new files here:
http://www.apachelounge.com/download/
Then i created a new key and asked my certificate provider to reissue the certificate. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Wed 09 Apr '14 14:10 Post subject: |
|
|
All 2.2.27 and 2.49 flavors are now updated, Win32 and Win64 build with VC9, VC10 and VC11.
Hope that all of you update as soon as possible.
Steffen |
|
Back to top |
|
somnang
Joined: 08 Apr 2011 Posts: 61
|
Posted: Wed 09 Apr '14 14:15 Post subject: |
|
|
Thank you Steffen |
|
Back to top |
|
sratrerier
Joined: 19 Mar 2009 Posts: 4
|
Posted: Wed 09 Apr '14 14:44 Post subject: |
|
|
Thank you, and I just donated using the button on the left to help keep this server online. Your volunteer efforts are very generous. |
|
Back to top |
|
somnang
Joined: 08 Apr 2011 Posts: 61
|
Posted: Wed 09 Apr '14 15:20 Post subject: |
|
|
Based on CVE-2014-0160, 1.0.1g is a temporary fix. 1.0.2 will contain permanent fix? |
|
Back to top |
|
ted.byers
Joined: 03 Jan 2013 Posts: 19
|
Posted: Wed 09 Apr '14 17:21 Post subject: |
|
|
nightmare11at wrote: | Ok, i am running apache 2.4.6 on a Windows Server 2008 R2 (x64). I patched the Vulnerabilty by just replacing the 3 files:
libeay32.dll
ssleay32.dll
openssl.exe
in the \Apache\bin\ directory
You can download the the new files here:
http://www.apachelounge.com/download/
Then i created a new key and asked my certificate provider to reissue the certificate. |
I tried that on two machines. On the first, it seems to work. On the other, it appears not to have worked. Both are version 2.4.3. Is it a mistake to have tried this on 2.4.3 when the current release is 2.4.9? If so, can I upgrade to 2.4.9 by stopping/uninstalling Apache, copying the binary directory of the full 64 bit build that has the patch to the binary directory of the current install, and then reinstalling and restarting it (hmmmmm, that sounds like a FAQ: how to update an existing installation to the latest minor release -- where is the FAQ -- I guess I'll google a FAQ for upgrading Apache 2.4 on Windows)?
Thanks
Ted |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Wed 09 Apr '14 17:31 Post subject: |
|
|
Stop apache and/or apachemonitor
Copy all files over, except (config) files you changed
Start apache |
|
Back to top |
|
ted.byers
Joined: 03 Jan 2013 Posts: 19
|
Posted: Wed 09 Apr '14 17:50 Post subject: |
|
|
admin wrote: | Stop apache and/or apachemonitor
Copy all files over, except (config) files you changed
Start apache |
Thanks for this.
I checked http://wiki.apache.org/httpd/FAQ, and it says nothing about upgrade procedures. Neither does http://httpd.apache.org/docs/current/.
But, I take it all directories other than conf and htdocs need to be copied.
Thanks.
Ted |
|
Back to top |
|