Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

OpenSSL version in Apache 2.2.23

 

 

Apache users RSS feed   Index | Next | Previous | View Threaded


gdurgut at bkm

Sep 21, 2012, 12:28 AM

Post #1 of 8 (2299 views)
Permalink
OpenSSL version in Apache 2.2.23

Hi,

While the latest build was 2.2.22 for the 2.2.x version, some vulnerabilities were found in OpenSSL version 0.9.8t which was existing in the official "Win32 Binary including OpenSSL 0.9.8t (MSI Installer)" bundle. I have waited the new version which is 2.2.23 but it still have not included the latest OpenSSL version in its SSL bundle.

I am a security guy, not the application server staff. I want my application server staff to aplly the patch to upgrade OpenSSL verion to 0.9.8v which eliminates 3 OpenSSL vulnerabilities. Thus, I have the following questions:


1. Why have not Apache included the latest OpenSSL version in the newly released 2.2.23 version? I have read somewhere that the latest OpenSSL version is included while releasing new version.

2. Is tehre an official bundle for 2.2.23 including OpenSSL 0.9.8v.

3. Is there a patch for apache httpd to upgrade only its OpenSSL module (currently we have the 2.2.22 version on Windows server). The patch may be applied for 2.2.22 or 2.2.23

PS: Related OpenSSL vulnerabilities are as following:

http://www.openssl.org/news/secadv_20120312.txt

http://www.openssl.org/news/secadv_20120419.txt

http://www.openssl.org/news/secadv_20120510.txt

Please help.

Thanks & Regards,
Gorkem


mamfelt at gmail

Sep 21, 2012, 6:23 AM

Post #2 of 8 (2235 views)
Permalink
Re: OpenSSL version in Apache 2.2.23 [In reply to]

I cannot speak for all packagers, but I do not bundle openssl in mine
- it uses whatever the hosting server has installed.

So, I think it would help to if you mentioned what platform you are
using, and/whether you package/build for yourself.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


gdurgut at bkm

Sep 21, 2012, 6:35 AM

Post #3 of 8 (2256 views)
Permalink
RE: OpenSSL version in Apache 2.2.23 [In reply to]

Actually, I was talking about the official release existing in Apache Http Server Project (Win32 Binary including OpenSSL 0.9.8t (MSI Installer): httpd-2.2.23-win32-x86-openssl-0.9.8t.msi).

Current apache version is 2.2.22, and OpenSSL version is 0.9.8t. What I need is to upgrade OpenSSL to OpenSSL to 0.9.8v. Upgrading apache to 2.2.23 is optional. The problem is I cannot find an official installation package or patch in Apache Website. Although this OpenSSL version has vulnerabilities and a new build for Apache is released, latest version of OpenSSL have not been included.

Server: Windows Server 2003 32-bit
Apache: 2.2.22 including OpenSSL 0.9.8t

Regards,
Gorkem

-----Original Message-----
From: Michael Felt [mailto:mamfelt [at] gmail]
Sent: Friday, September 21, 2012 4:24 PM
To: users [at] httpd
Subject: Re: [users [at] http] OpenSSL version in Apache 2.2.23

I cannot speak for all packagers, but I do not bundle openssl in mine
- it uses whatever the hosting server has installed.

So, I think it would help to if you mentioned what platform you are using, and/whether you package/build for yourself.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Sep 21, 2012, 6:47 AM

Post #4 of 8 (2252 views)
Permalink
Re: OpenSSL version in Apache 2.2.23 [In reply to]

On Fri, Sep 21, 2012 at 9:35 AM, Görkem Durğüt <gdurgut [at] bkm> wrote:
> Actually, I was talking about the official release existing in Apache Http Server Project (Win32 Binary including OpenSSL 0.9.8t (MSI Installer): httpd-2.2.23-win32-x86-openssl-0.9.8t.msi).
>
> Current apache version is 2.2.22, and OpenSSL version is 0.9.8t. What I need is to upgrade OpenSSL to OpenSSL to 0.9.8v. Upgrading apache to 2.2.23 is optional. The problem is I cannot find an official installation package or patch in Apache Website. Although this OpenSSL version has vulnerabilities and a new build for Apache is released, latest version of OpenSSL have not been included.
>
> Server: Windows Server 2003 32-bit
> Apache: 2.2.22 including OpenSSL 0.9.8t

The official packages are source code, everything else is a
contribution for convenience. Some third-party websites (e.g.
apachelounge) might have a build for you.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


gdurgut at bkm

Sep 27, 2012, 1:05 AM

Post #5 of 8 (2247 views)
Permalink
RE: OpenSSL version in Apache 2.2.23 [In reply to]

Hi,

I was talking about the "binary" files for Windows published in Apahce.Org website. You can check the files in the link below. I have seen the 2.2.23 binary installation files fow Windows in this page including the OpenSSL-0.9.8t as I have stated in previous e-mail. It is interesting that I cannot see this binary package anymore. You may see other similar files, eg. for 2.0.64 version.

http://httpd.apache.org/download.cgi


Regards,
Gorkem



-----Original Message-----
From: Eric Covener [mailto:covener [at] gmail]
Sent: Friday, September 21, 2012 4:48 PM
To: users [at] httpd
Subject: Re: [users [at] http] OpenSSL version in Apache 2.2.23

On Fri, Sep 21, 2012 at 9:35 AM, Görkem Durğüt <gdurgut [at] bkm> wrote:
> Actually, I was talking about the official release existing in Apache Http Server Project (Win32 Binary including OpenSSL 0.9.8t (MSI Installer): httpd-2.2.23-win32-x86-openssl-0.9.8t.msi).
>
> Current apache version is 2.2.22, and OpenSSL version is 0.9.8t. What I need is to upgrade OpenSSL to OpenSSL to 0.9.8v. Upgrading apache to 2.2.23 is optional. The problem is I cannot find an official installation package or patch in Apache Website. Although this OpenSSL version has vulnerabilities and a new build for Apache is released, latest version of OpenSSL have not been included.
>
> Server: Windows Server 2003 32-bit
> Apache: 2.2.22 including OpenSSL 0.9.8t

The official packages are source code, everything else is a contribution for convenience. Some third-party websites (e.g.
apachelounge) might have a build for you.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

BKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB[XܚXKK[XZ[\\][XܚXP \XKܙB܈Y][ۘ[[X[K[XZ[\\Z[ \XKܙB


covener at gmail

Sep 27, 2012, 3:47 AM

Post #6 of 8 (2206 views)
Permalink
Re: OpenSSL version in Apache 2.2.23 [In reply to]

On Thu, Sep 27, 2012 at 4:05 AM, Görkem Durğüt <gdurgut [at] bkm> wrote:
> Hi,
>
> I was talking about the "binary" files for Windows published in Apahce.Org website. You can check the files in the link below. I have seen the 2.2.23 binary installation files fow Windows in this page including the OpenSSL-0.9.8t as I have stated in previous e-mail. It is interesting that I cannot see this binary package anymore. You may see other similar files, eg. for 2.0.64 version.
>
> http://httpd.apache.org/download.cgi

Me too.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


awang at ptc

Sep 28, 2012, 9:51 AM

Post #7 of 8 (2191 views)
Permalink
Re: OpenSSL version in Apache 2.2.23 [In reply to]

On 09/27/2012 05:47 AM, Eric Covener wrote:
> On Thu, Sep 27, 2012 at 4:05 AM, Görkem Durğüt <gdurgut [at] bkm> wrote:
>> Hi,
>>
>> I was talking about the "binary" files for Windows published in Apahce.Org website. You can check the files in the link below. I have seen the 2.2.23 binary installation files fow Windows in this page including the OpenSSL-0.9.8t as I have stated in previous e-mail. It is interesting that I cannot see this binary package anymore. You may see other similar files, eg. for 2.0.64 version.
>>
>> http://httpd.apache.org/download.cgi
> Me too.
>
I also noticed that the windows formatted zip is no longer listed
(previous link was for 2.2.23 bundle was dead).
Is there a change in policy to no longer provide the windows
source/binaries?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


covener at gmail

Sep 28, 2012, 10:00 AM

Post #8 of 8 (2249 views)
Permalink
Re: OpenSSL version in Apache 2.2.23 [In reply to]

On Fri, Sep 28, 2012 at 12:51 PM, Andy Wang <awang [at] ptc> wrote:
> On 09/27/2012 05:47 AM, Eric Covener wrote:
>>
>> On Thu, Sep 27, 2012 at 4:05 AM, Görkem Durğüt <gdurgut [at] bkm> wrote:
>>>
>>> Hi,
>>>
>>> I was talking about the "binary" files for Windows published in
>>> Apahce.Org website. You can check the files in the link below. I have seen
>>> the 2.2.23 binary installation files fow Windows in this page including the
>>> OpenSSL-0.9.8t as I have stated in previous e-mail. It is interesting that I
>>> cannot see this binary package anymore. You may see other similar files, eg.
>>> for 2.0.64 version.
>>>
>>> http://httpd.apache.org/download.cgi
>>
>> Me too.
>>
> I also noticed that the windows formatted zip is no longer listed (previous
> link was for 2.2.23 bundle was dead).
> Is there a change in policy to no longer provide the windows
> source/binaries?

These supplemental packages haven't been contributed yet.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.