Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Updating OpenSSL to 3.1.5 |
|
Author |
|
NotEnoughSteel
Joined: 26 Feb 2024 Posts: 2
|
Posted: Tue 27 Feb '24 5:43 Post subject: Updating OpenSSL to 3.1.5 |
|
|
Hello,
Our vulnerability scans have picked up out-of-date OpenSSL files within an Apache install. The current version of Apache is 2.4.58 and the version of openssl.exe and libssl-3-64x.dll are both 3.1.3. Scans recommend updating these files to 3.1.5 to resolve the specified vulnerability (CVE-2023-5678).
Is it possible to only update these 2 files separately from the latest Apache package by overwriting just the two target files, or will this break Apache and will actually need the entire package to be updated? |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Tue 27 Feb '24 8:39 Post subject: |
|
|
Current download is already 3.1.5 |
|
Back to top |
|
NotEnoughSteel
Joined: 26 Feb 2024 Posts: 2
|
Posted: Thu 29 Feb '24 5:09 Post subject: |
|
|
I already know the latest release is 3.1.5. The download I got for Apache 2.4.58 sometime earlier was released with 3.1.3. My question was can I simply replace those OpenSSL files individually or will I need to perform another 'update' to Apache even though the Apache version will remain the same?
I'm asking because updating Apache itself is much more complicated over just replacing 2 individual files. |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Fri 01 Mar '24 20:32 Post subject: |
|
|
If you choose to overwrite some of the OpenSSL related files in Apache with later versions, and things still appear to work ok, there's no guarantee you won't break some functionality.
There are also other files involved with SSL services, e.g. libcrypto-3-x64.dll, plus module linkage through mod_ssl.so, mod_session_crypto.so, etc.
Why would you want to take such a risk with your service, especially where security is concerned?
I'd advise updating.
Note, if your concern is refreshing various configuration settings below the default Apache directories, you can always develop a configuration where these files are located below a separate directory tree, e.g. Apache24\common\conf, Apache24\common\certificates, Apache24\common\logs, and you simply include your configuration settings from the end of the default Apache24\conf\httpd.conf. Somewhat easier to maintain. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Wed 06 Mar '24 9:46 Post subject: |
|
|
NotEnoughSteel wrote: |
I'm asking because updating Apache itself is much more complicated over just replacing 2 individual files. |
Stop apache. Backup the apache folder. Delete bin and modules folder and extract the bin and modules from the zip file into the apache folder. Start apache. |
|
Back to top |
|
|
|
|
|
|