Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Coming OpenSSL 1.0.2i ? |
|
| Author |
|
Mathan Karthik R
Joined: 02 May 2014
Posts: 4
Location: India
|
 Posted: Wed 21 Sep '16 12:50 Post subject: Coming OpenSSL 1.0.2i ? |
 |
|
OpenSSL is planning to release latest versions - 1.1.0a, 1.0.2i, 1.0.1u on 22nd September, 2016 [Tomorrow].
It is specified that this version will fix several security bugs including one classified as "High" Severity.
Refer https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.html for more details.
Hope that apache lounge would include this latest version of OpenSSL and release a build. |
|
| Back to top |
|
admin
Site Admin
Joined: 15 Oct 2005
Posts: 692
|
| Posted: Wed 21 Sep '16 14:26 Post subject: |
|
|
| Yes, we always wait some time for testing and to see if no new/other issues are popping up. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
| Posted: Wed 21 Sep '16 17:15 Post subject: |
|
|
| High severity is not as bad as it sounds. Most likely it will not be exploitable on most systems. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
| Posted: Thu 22 Sep '16 13:34 Post subject: |
|
|
https://www.openssl.org/news/vulnerabilities.html#y2016
| Quote: | | A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default configuration, instead only if an application explicitly enables OCSP stapling support. |
On my development server both instances of Apache are upgraded: X86 VC9 & X64 VC11. SSLLabs verdict:
https://www.ssllabs.com/ssltest/analyze.html?d=fips.sessiondatabase.net |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
|
| Back to top |
|
|
|
|
|
|
