logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: OpenSSL in Apache binary roadmap !
Author
scott4455



Joined: 10 Feb 2020
Posts: 2

PostPosted: Mon 10 Feb '20 20:23    Post subject: OpenSSL in Apache binary roadmap ! Reply with quote

We are getting a Medium level hit in our security scans due to OpenSSL being 1.1.1d rather than 1.1.1e-dev. We can mitigate with removing some of the cipher suites, but I could not find any information on how the mod_ssl.so module is slated to be updated.

We only have 1.1.1d due to scouring the forums here and finding a link where someone built one for another CVE, and I can't seem to find that post anymore either. Searches for openssl, mod_ssl.so, 1.1.1d, etc... seem to just turn up 2.2 to 2.4 upgrades, and PHP integrations.

I'm not advocating for a dev version of a module, but am curious how the process works. Any info in how these get into the pipeline, and where they could be found or requested, would be appreciated.

Many thanks!
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692

PostPosted: Mon 10 Feb '20 22:37    Post subject: Reply with quote

Policy is only released versions.

Dev versions can introduce new issues/vulnerabilities, is risky.

As soon the OpenSSL team releases a new version, and they classify fixes a severity levels critical and/or high, then we try to make a Apache binary available within days.

When your Medium level hit is a serious issue, then the OpenSSL Team gives it priority.
Back to top
scott4455



Joined: 10 Feb 2020
Posts: 2

PostPosted: Wed 19 Feb '20 20:18    Post subject: Reply with quote

That's pretty much the reasoning we're giving the security teams at this point too.

Thank you for the info!
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Thu 20 Feb '20 11:47    Post subject: Reply with quote

Want to repeat it here:

Users are using a Third Party DLL for a latest OpenSSL.

Be warned to use third party DLL's, you must absolute sure it is not manipulated.

Mostly you are not sure wich Compiler linker is used MINGW (can give issues) or Visual Studio (when not the same VC version, can give issues).

So do not use in Production.

You are save when you download a Apache Binary from here with OpenSSL included en use PGP and/or the check-sums.
Back to top
Brian Gimbli



Joined: 11 Mar 2020
Posts: 4
Location: Houston

PostPosted: Mon 16 Mar '20 15:01    Post subject: Reply with quote

Hey, guys!
I am new here. Glad to join the community Very Happy
Back to top


Reply to topic   Topic: OpenSSL in Apache binary roadmap ! View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout