logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: OpenSSL 3.1.4
Author
winstonolson



Joined: 18 Jul 2022
Posts: 3
Location: Pasadena, CA

PostPosted: Mon 30 Oct '23 19:26    Post subject: OpenSSL 3.1.4 Reply with quote

Is there a plan to release an updated build with OpenSSL 3.1.4 anytime soon? The latest bug identified on https://www.openssl.org/news/vulnerabilities.html is considered "moderate". Thanks!
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692

PostPosted: Mon 30 Oct '23 20:01    Post subject: Reply with quote

They say:The OpenSSL SSL/TLS implementation is not affected by this issue.

Think Apache is not affected.

When we have some spare time, we update.
Back to top
tbare



Joined: 08 Nov 2023
Posts: 1
Location: United States

PostPosted: Wed 08 Nov '23 15:34    Post subject: Source Reply with quote

My PCI scans are coming back with "OpenSSL 3.1.0 < 3.1.4 Vulnerability CVE-2023-5363" -- do you have a source showing that Apache is not affected by the issue so I can flag it as a false positive?

Thanks!
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3094
Location: Hilversum, NL, EU

PostPosted: Wed 08 Nov '23 15:58    Post subject: Reply with quote

No source. It is our interpretation and there are no reports at ASF that this CVE has effect.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7374
Location: Germany, Next to Hamburg

PostPosted: Fri 10 Nov '23 13:52    Post subject: Re: Source Reply with quote

tbare wrote:
My PCI scans are coming back with "OpenSSL 3.1.0 < 3.1.4 Vulnerability CVE-2023-5363" -- do you have a source showing that Apache is not affected by the issue so I can flag it as a false positive?

Thanks!


The two last releases shown in the notes

"The OpenSSL SSL/TLS implementation is not affected by this issue."

Therefore I agree with Steffen that there are no issues with that and no need to update SSL.
Back to top
qsligh



Joined: 30 Oct 2023
Posts: 1
Location: USA, Suffolk VA

PostPosted: Mon 27 Nov '23 15:10    Post subject: OpenSSL 3.1.4 Reply with quote

I'm getting hit on my scans for not having OpenSSL 3.1.4 and the scans are listing the severity score of 7.5 which is a "high" on the NIST NVD webpage for CVE-2023-5363. Is there any timeline when Apache for Windows will upgrage the OpenSSL version?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3094
Location: Hilversum, NL, EU

PostPosted: Mon 27 Nov '23 16:04    Post subject: Reply with quote

Does NIST mention Apache ?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7374
Location: Germany, Next to Hamburg

PostPosted: Wed 29 Nov '23 10:36    Post subject: Reply with quote

Steffen wrote:
Does NIST mention Apache ?


NIST writes to this: The OpenSSL SSL/TLS implementation is not affected by this issue.
Back to top


Reply to topic   Topic: OpenSSL 3.1.4 View previous topic :: View next topic
Post new topic   Forum Index -> Apache