Author |
|
markberardi
Joined: 21 Oct 2017 Posts: 6 Location: USA, Irwin PA
|
Posted: Sat 21 Oct '17 15:06 Post subject: Apache 2.4.28 openssl 1.1.0g binary file |
|
|
Does anyone know where I can find a Windows 64 binary for openssl 1.1.0g or openssl 1.1.0f-git for Apache 24.28. I am using the Apache Lounge download of VC15 Apache 2.4.28. I am trying to fix the vulnerability: OpenSSL CVE-2017-3735 Security Bypass Vulnerability. Thanks in advance for any assistance. The 1.1.0f stable version of openssl provided with the Apache 24.28 VC15 download does not have the fix for this vulnerability. |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Sat 21 Oct '17 15:14 Post subject: |
|
|
There is no1.10g release at OpenSSL.org. We do not apply non released version. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Sun 22 Oct '17 18:39 Post subject: |
|
|
Shining Light does not have 1.1.0g either:
https://slproweb.com/products/Win32OpenSSL.html
The only solution at the moment: build it yourself.
Last edited by Jan-E on Sat 28 Oct '17 10:43; edited 1 time in total |
|
Back to top |
|
markberardi
Joined: 21 Oct 2017 Posts: 6 Location: USA, Irwin PA
|
Posted: Mon 23 Oct '17 15:08 Post subject: Apache 2.4.28 openssl 1.1.0g binary file |
|
|
Unfortunately, I do not have an environment/experience setup to build the binary. I am concerned that it will work correctly with the VC15 Apache 2.4.28 that I recently downloaded and installed. I also noticed that there is a version of 1.1.0f called 1.1.0f-git, which does have the fix for CVE-2017-3735. Anyone possibly have this built as 64 bit binary? |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3092 Location: Hilversum, NL, EU
|
Posted: Mon 23 Oct '17 16:38 Post subject: |
|
|
I cannot find a 1.1.0f-git, where do you see it ?
What is your concern with CVE 2017-3735. At OpenSSL it is rated: Severity: Low
Description:
If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format. |
|
Back to top |
|
markberardi
Joined: 21 Oct 2017 Posts: 6 Location: USA, Irwin PA
|
|
Back to top |
|
markberardi
Joined: 21 Oct 2017 Posts: 6 Location: USA, Irwin PA
|
Posted: Mon 23 Oct '17 19:11 Post subject: Low Severity |
|
|
I agree completely regarding the Low Vulnerability, but out PCI Compliance team will not certify without a fix. |
|
Back to top |
|
markberardi
Joined: 21 Oct 2017 Posts: 6 Location: USA, Irwin PA
|
Posted: Wed 25 Oct '17 15:33 Post subject: Refreshing |
|
|
I guess I will have to setup and build the openssl 1.1.0g. Can anyone recommend a good document describing the process. |
|
Back to top |
|
glsmith Moderator
Joined: 16 Oct 2007 Posts: 2268 Location: Sun Diego, USA
|
Posted: Thu 26 Oct '17 20:50 Post subject: |
|
|
See NOTES.WIN in the OpenSSL source https://github.com/openssl/openssl/archive/OpenSSL_1_1_0-stable.zip
Note: For ease of use Perl and NASM need to be in the system's path.
That said, it's easy to build and I suggest if you're going to have to maintain PCI compliance between releases you do learn to build things for yourself.
For expediency however (this time only ):
[link removed]
Back up your current libcrypto & libssl DLLs and replace with these for whichever architecture you have, both x64 and x86 are in there.
Last edited by glsmith on Wed 16 May '18 14:50; edited 1 time in total |
|
Back to top |
|
markberardi
Joined: 21 Oct 2017 Posts: 6 Location: USA, Irwin PA
|
Posted: Fri 27 Oct '17 2:25 Post subject: OpenSSl 1.1.0g Build |
|
|
Thank you very much for the build. It is running quite well. I have schedule my PCI compliance test, and completely expect a passing grade. I greatly appreciate your assistance. thanks... Mark |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1266 Location: Amsterdam, NL, EU
|
Posted: Mon 30 Oct '17 23:01 Post subject: |
|
|
Forthcoming OpenSSL releases
============================
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0g and 1.0.2m.
These releases will be made available on 2nd November 2017 between approximately 1300-1700 UTC.
This is a bug-fix release. It will also include a fix for the low severity security issue previously published here:
https://www.openssl.org/news/secadv/20170828.txt
Please also note that, as per our previous announcements, support for 1.0.1 ended on 31st December 2016.
Yours
The OpenSSL Project Team |
|
Back to top |
|