logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Other Software View previous topic :: View next topic
Reply to topic   Topic: OpenSSL releases 10-Sep-2019: last ever 1.1.0
Author
Jan-E



Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU

PostPosted: Fri 06 Sep '19 16:37    Post subject: OpenSSL releases 10-Sep-2019: last ever 1.1.0 Reply with quote

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.1d, 1.1.0l and 1.0.2t.

These releases will be made available on 10th September 2019 between approximately 1200-1600 UTC.

These are security fix releases. The highest severity security issue fixed by these releases is rated as LOW.

Please note that this is expected to be the last release of 1.1.0 before it goes out of support on 11th September 2019.

Yours

The OpenSSL Project Team
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Wed 11 Sep '19 13:36    Post subject: Reply with quote

Does this affect apache? I'm not so sure. What do you think?

https://www.openssl.org/news/secadv/20190910.txt
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692

PostPosted: Sat 14 Sep '19 11:13    Post subject: Reply with quote

Issues fixed by these releases are rated as LOW.

I doubt that users are dealing with this issues.
But when someone is dealing with these issues, can let us know.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Thu 19 Sep '19 14:10    Post subject: Reply with quote

Words from OpenSSL:

CVE-2019-1549 is related to how we reseed the random number generator in the event of a "fork". Since windows lacks the capability to do fork it is not a problem on that platform.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Tue 24 Sep '19 15:26    Post subject: Reply with quote

Because IAVA 2019-A-0303 was published and requiring compliance in some industries I was asked to build Win64 VS16/VC14.

Just to share:

Removed

Ps.
IAVA is a US Department of Defense cyber security notice that stands for "Information Assurance Vulnerability Alert". Only regularly available to DoD personnel and considered For Official Use Only or FOUO.


Last edited by Steffen on Wed 18 Mar '20 12:53; edited 1 time in total
Back to top
lordcochise



Joined: 24 Oct 2019
Posts: 1
Location: United States

PostPosted: Fri 25 Oct '19 17:05    Post subject: Reply with quote

FWIW we have to comply with PCI now, and this came up the other day, appreciate the update Wink
Back to top
blackbird



Joined: 10 Nov 2016
Posts: 4
Location: USA

PostPosted: Wed 12 Feb '20 18:15    Post subject: Reply with quote

Hello Steffen,

The OpenSSL-1.0.2t.rar is very useful. Is it possible to have Win64 VC14 OpenSSL 1.0.2u or later version? Thanks!
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Wed 12 Feb '20 18:45    Post subject: Reply with quote

Apache 2.4.42 is in discussion for a release. When available it is shipped with the latest.

How urgent is it for you ?
Back to top
blackbird



Joined: 10 Nov 2016
Posts: 4
Location: USA

PostPosted: Wed 12 Feb '20 19:26    Post subject: Reply with quote

The security guy asked me to update it soon. What is the estimated release date for 2.4.42? I can tell him about it. Thanks
Back to top
blackbird



Joined: 10 Nov 2016
Posts: 4
Location: USA

PostPosted: Wed 12 Feb '20 20:05    Post subject: Reply with quote

I just downloaded openssl-1.0.2u-x64_86-win64.zip binary from fulgan, put three openssl files into Apache24/bin, seems it is working well. I am not sure if there are any problems.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Thu 20 Feb '20 11:43    Post subject: Reply with quote

Be warned to use third party DLL's, you must absolute sure it is not manipulated.

And in the fulgan case, you are not sure witch Compiler linker is used MINGW (can give issues) or Visual Studio (when not the same VC version, can give issues).

So do not use in production.

You are save when you download a Apache Binary from here with OpenSSL included en use PGP and/or the check-sums.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU

PostPosted: Thu 20 Feb '20 13:46    Post subject: Reply with quote

Fulgan uses MINGW, as it is dependent on msvrt.dll and not on the Microsoft Visual Studio Runtime DLLs.

Source: https://wiki.openssl.org/index.php/Binaries

I always compile OpenSSL myself or let Appveyor build it (free for Github users if used for Opensource projects)

Build log for OpenSSL 1.0.2u VC14 Win64 with OpenSSL Fips 2.0.16 here:
https://ci.appveyor.com/project/Jan-E/openssl-fips/build/job/9iauc0vdrv9bauyc?fullLog=true

Downloads here:
https://ci.appveyor.com/project/Jan-E/openssl-fips/build/job/9iauc0vdrv9bauyc/artifacts

If you trust Appveyor it can be a fast way to build your own OpenSSL binaries

Appveyor.yml here:
https://github.com/Jan-E/OpenSSL-Fips
Back to top


Reply to topic   Topic: OpenSSL releases 10-Sep-2019: last ever 1.1.0 View previous topic :: View next topic
Post new topic   Forum Index -> Other Software