Topic: Apache with OpenSSL 3.0.8 < 3.0.9 Multiple Vulnerabilitie

[carman]

I would like to know is there any plan to release a new build of Apache with OpenSSL > 3.0.8 version as this finding shows after performed SRAA. Checked that OpenSSL has released 3.1.0.

The version of OpenSSL installed on the remote host is prior to 3.0.9. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.9 advisory.

- A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0464)

Thanks.

[Steffen]

There is no 3.0.9 yet. When it is released by OpenSSL we build httpd with it.

See the note in the Advisory https://www.openssl.org/news/secadv/20230322.txt :

Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be
included in the next releases when they become available.

[carman]

Noted with thanks!

[lucasduzo]

Hello team;

Did you find version 2.4.57 with OpenSSL 3.0.8 for binary download for windows?
Or does it not exist yet?
Or is there any way to update manually?

[admin]

It is updated to 3.1.0

[jjaimez]

Will there be plans to upgrade to OpenSSL version 3.1.1 soon? There are several CVEs listed that require this action:
CVE-2023-0464
CVE-2023-0465
CVE-2023-0466

Thank you for any info you can provide.

[admin]

Not released yet by OpenSSL.org

No critical and high severity.

[Jan-E]

3.1.1, 3.0.9 and 1.1.1u will be released tomorrow. BTW: curl will have a release 8.1.2 tomorrow as well.