logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache with OpenSSL 3.0.8 < 3.0.9 Multiple Vulnerabilitie
Author
carman



Joined: 09 May 2023
Posts: 2
Location: HK

PostPosted: Tue 09 May '23 9:50    Post subject: Apache with OpenSSL 3.0.8 < 3.0.9 Multiple Vulnerabilitie Reply with quote

I would like to know is there any plan to release a new build of Apache with OpenSSL > 3.0.8 version as this finding shows after performed SRAA. Checked that OpenSSL has released 3.1.0.

The version of OpenSSL installed on the remote host is prior to 3.0.9. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.9 advisory.

- A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0464)

Thanks.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Tue 09 May '23 10:11    Post subject: Reply with quote

There is no 3.0.9 yet. When it is released by OpenSSL we build httpd with it.

See the note in the Advisory https://www.openssl.org/news/secadv/20230322.txt :

Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be
included in the next releases when they become available.
Back to top
carman



Joined: 09 May 2023
Posts: 2
Location: HK

PostPosted: Tue 09 May '23 10:21    Post subject: Reply with quote

Noted with thanks!
Back to top
lucasduzo



Joined: 15 May 2023
Posts: 1
Location: Brazil

PostPosted: Mon 15 May '23 20:52    Post subject: Reply with quote

Hello team;

Did you find version 2.4.57 with OpenSSL 3.0.8 for binary download for windows?
Or does it not exist yet?
Or is there any way to update manually?
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692

PostPosted: Mon 15 May '23 21:12    Post subject: Reply with quote

It is updated to 3.1.0
Back to top
jjaimez



Joined: 15 Mar 2022
Posts: 4
Location: USA, Memphis

PostPosted: Thu 25 May '23 15:16    Post subject: info on version 3.1.1 Reply with quote

Will there be plans to upgrade to OpenSSL version 3.1.1 soon? There are several CVEs listed that require this action:
CVE-2023-0464
CVE-2023-0465
CVE-2023-0466

Thank you for any info you can provide.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692

PostPosted: Thu 25 May '23 15:21    Post subject: Reply with quote

Not released yet by OpenSSL.org

No critical and high severity.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU

PostPosted: Mon 29 May '23 18:25    Post subject: Reply with quote

3.1.1, 3.0.9 and 1.1.1u will be released tomorrow. BTW: curl will have a release 8.1.2 tomorrow as well.
Back to top


Reply to topic   Topic: Apache with OpenSSL 3.0.8 < 3.0.9 Multiple Vulnerabilitie View previous topic :: View next topic
Post new topic   Forum Index -> Apache