Author |
|
winstonolson
Joined: 18 Jul 2022 Posts: 3 Location: Pasadena, CA
|
Posted: Mon 30 Oct '23 19:26 Post subject: OpenSSL 3.1.4 |
|
|
Is there a plan to release an updated build with OpenSSL 3.1.4 anytime soon? The latest bug identified on https://www.openssl.org/news/vulnerabilities.html is considered "moderate". Thanks! |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Mon 30 Oct '23 20:01 Post subject: |
|
|
They say:The OpenSSL SSL/TLS implementation is not affected by this issue.
Think Apache is not affected.
When we have some spare time, we update. |
|
Back to top |
|
tbare
Joined: 08 Nov 2023 Posts: 1 Location: United States
|
Posted: Wed 08 Nov '23 15:34 Post subject: Source |
|
|
My PCI scans are coming back with "OpenSSL 3.1.0 < 3.1.4 Vulnerability CVE-2023-5363" -- do you have a source showing that Apache is not affected by the issue so I can flag it as a false positive?
Thanks! |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Wed 08 Nov '23 15:58 Post subject: |
|
|
No source. It is our interpretation and there are no reports at ASF that this CVE has effect. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Fri 10 Nov '23 13:52 Post subject: Re: Source |
|
|
tbare wrote: | My PCI scans are coming back with "OpenSSL 3.1.0 < 3.1.4 Vulnerability CVE-2023-5363" -- do you have a source showing that Apache is not affected by the issue so I can flag it as a false positive?
Thanks! |
The two last releases shown in the notes
"The OpenSSL SSL/TLS implementation is not affected by this issue."
Therefore I agree with Steffen that there are no issues with that and no need to update SSL. |
|
Back to top |
|
qsligh
Joined: 30 Oct 2023 Posts: 1 Location: USA, Suffolk VA
|
Posted: Mon 27 Nov '23 15:10 Post subject: OpenSSL 3.1.4 |
|
|
I'm getting hit on my scans for not having OpenSSL 3.1.4 and the scans are listing the severity score of 7.5 which is a "high" on the NIST NVD webpage for CVE-2023-5363. Is there any timeline when Apache for Windows will upgrage the OpenSSL version? |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Mon 27 Nov '23 16:04 Post subject: |
|
|
Does NIST mention Apache ? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Wed 29 Nov '23 10:36 Post subject: |
|
|
Steffen wrote: | Does NIST mention Apache ? |
NIST writes to this: The OpenSSL SSL/TLS implementation is not affected by this issue. |
|
Back to top |
|