logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Updating OpenSSL to 3.1.5
Author
NotEnoughSteel



Joined: 26 Feb 2024
Posts: 2

PostPosted: Tue 27 Feb '24 5:43    Post subject: Updating OpenSSL to 3.1.5 Reply with quote

Hello,
Our vulnerability scans have picked up out-of-date OpenSSL files within an Apache install. The current version of Apache is 2.4.58 and the version of openssl.exe and libssl-3-64x.dll are both 3.1.3. Scans recommend updating these files to 3.1.5 to resolve the specified vulnerability (CVE-2023-5678).
Is it possible to only update these 2 files separately from the latest Apache package by overwriting just the two target files, or will this break Apache and will actually need the entire package to be updated?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3093
Location: Hilversum, NL, EU

PostPosted: Tue 27 Feb '24 8:39    Post subject: Reply with quote

Current download is already 3.1.5
Back to top
NotEnoughSteel



Joined: 26 Feb 2024
Posts: 2

PostPosted: Thu 29 Feb '24 5:09    Post subject: Reply with quote

I already know the latest release is 3.1.5. The download I got for Apache 2.4.58 sometime earlier was released with 3.1.3. My question was can I simply replace those OpenSSL files individually or will I need to perform another 'update' to Apache even though the Apache version will remain the same?
I'm asking because updating Apache itself is much more complicated over just replacing 2 individual files.
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Fri 01 Mar '24 20:32    Post subject: Reply with quote

If you choose to overwrite some of the OpenSSL related files in Apache with later versions, and things still appear to work ok, there's no guarantee you won't break some functionality.

There are also other files involved with SSL services, e.g. libcrypto-3-x64.dll, plus module linkage through mod_ssl.so, mod_session_crypto.so, etc.

Why would you want to take such a risk with your service, especially where security is concerned?

I'd advise updating.

Note, if your concern is refreshing various configuration settings below the default Apache directories, you can always develop a configuration where these files are located below a separate directory tree, e.g. Apache24\common\conf, Apache24\common\certificates, Apache24\common\logs, and you simply include your configuration settings from the end of the default Apache24\conf\httpd.conf. Somewhat easier to maintain.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Wed 06 Mar '24 9:46    Post subject: Reply with quote

NotEnoughSteel wrote:

I'm asking because updating Apache itself is much more complicated over just replacing 2 individual files.


Stop apache. Backup the apache folder. Delete bin and modules folder and extract the bin and modules from the zip file into the apache folder. Start apache.
Back to top


Reply to topic   Topic: Updating OpenSSL to 3.1.5 View previous topic :: View next topic
Post new topic   Forum Index -> Apache