Topic: Apache 2.4.28 openssl 1.1.0g binary file

[markberardi]

Does anyone know where I can find a Windows 64 binary for openssl 1.1.0g or openssl 1.1.0f-git for Apache 24.28. I am using the Apache Lounge download of VC15 Apache 2.4.28. I am trying to fix the vulnerability: OpenSSL CVE-2017-3735 Security Bypass Vulnerability. Thanks in advance for any assistance. The 1.1.0f stable version of openssl provided with the Apache 24.28 VC15 download does not have the fix for this vulnerability.

[admin]

There is no1.10g release at OpenSSL.org. We do not apply non released version.

[Jan-E]

Shining Light does not have 1.1.0g either:
https://slproweb.com/products/Win32OpenSSL.html

The only solution at the moment: build it yourself.

[markberardi]

Unfortunately, I do not have an environment/experience setup to build the binary. I am concerned that it will work correctly with the VC15 Apache 2.4.28 that I recently downloaded and installed. I also noticed that there is a version of 1.1.0f called 1.1.0f-git, which does have the fix for CVE-2017-3735. Anyone possibly have this built as 64 bit binary?

[Steffen]

I cannot find a 1.1.0f-git, where do you see it ?

What is your concern with CVE 2017-3735. At OpenSSL it is rated: Severity: Low

Description:

If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format.

[markberardi]

Thanks for the reply, found it on this site. http://www.securityfocus.com/bid/100515

[markberardi]

I agree completely regarding the Low Vulnerability, but out PCI Compliance team will not certify without a fix.

[markberardi]

I guess I will have to setup and build the openssl 1.1.0g. Can anyone recommend a good document describing the process.

[glsmith]

See NOTES.WIN in the OpenSSL source https://github.com/openssl/openssl/archive/OpenSSL_1_1_0-stable.zip

Note: For ease of use Perl and NASM need to be in the system's path.

That said, it's easy to build and I suggest if you're going to have to maintain PCI compliance between releases you do learn to build things for yourself.

For expediency however (this time only ):
[link removed]

Back up your current libcrypto & libssl DLLs and replace with these for whichever architecture you have, both x64 and x86 are in there.

[markberardi]

Thank you very much for the build. It is running quite well. I have schedule my PCI compliance test, and completely expect a passing grade. I greatly appreciate your assistance. thanks... Mark

[Jan-E]

Forthcoming OpenSSL releases
============================

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.1.0g and 1.0.2m.

These releases will be made available on 2nd November 2017 between approximately 1300-1700 UTC.

This is a bug-fix release. It will also include a fix for the low severity security issue previously published here:
https://www.openssl.org/news/secadv/20170828.txt

Please also note that, as per our previous announcements, support for 1.0.1 ended on 31st December 2016.

Yours

The OpenSSL Project Team