Topic: OpenSSL in Apache binary roadmap !

[scott4455]

We are getting a Medium level hit in our security scans due to OpenSSL being 1.1.1d rather than 1.1.1e-dev. We can mitigate with removing some of the cipher suites, but I could not find any information on how the mod_ssl.so module is slated to be updated.

We only have 1.1.1d due to scouring the forums here and finding a link where someone built one for another CVE, and I can't seem to find that post anymore either. Searches for openssl, mod_ssl.so, 1.1.1d, etc... seem to just turn up 2.2 to 2.4 upgrades, and PHP integrations.

I'm not advocating for a dev version of a module, but am curious how the process works. Any info in how these get into the pipeline, and where they could be found or requested, would be appreciated.

Many thanks!

[admin]

Policy is only released versions.

Dev versions can introduce new issues/vulnerabilities, is risky.

As soon the OpenSSL team releases a new version, and they classify fixes a severity levels critical and/or high, then we try to make a Apache binary available within days.

When your Medium level hit is a serious issue, then the OpenSSL Team gives it priority.

[scott4455]

That's pretty much the reasoning we're giving the security teams at this point too.

Thank you for the info!

[Steffen]

Want to repeat it here:

Users are using a Third Party DLL for a latest OpenSSL.

Be warned to use third party DLL's, you must absolute sure it is not manipulated.

Mostly you are not sure wich Compiler linker is used MINGW (can give issues) or Visual Studio (when not the same VC version, can give issues).

So do not use in Production.

You are save when you download a Apache Binary from here with OpenSSL included en use PGP and/or the check-sums.

[Brian Gimbli]

Hey, guys!
I am new here. Glad to join the community