OpenSSL updated to 1.1.1g
This OpenSSL update covers 1 high severity vulnerability.
Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
*) Fixed segmentation fault in SSL_check_chain()
Server or client applications that call the SSL_check_chain() function
during or after a TLS 1.3 handshake may crash due to a NULL pointer
dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
or unrecognised signature algorithm is received from the peer. This could
be exploited by a malicious peer in a Denial of Service attack.
(CVE-2020-1967)
[Benjamin Kaduk]
The other change does not apply as we do not build with no-asm.
*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added
when building openssl for no-asm.
Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
At this time this feature is by default disabled.
It will be enabled by default in 3.0.
[Bernd Edlinger]
You can get your copy of the updated Apache HTTP Server from our download page (http://www.apachehaus.com/cgi-bin/download.plx).
Forgot to mention.
mod_http2
This also come with the fix for the problem mentioned here: https://forum.apachehaus.com/index.php?topic=1614.0
The patch used has been included as well inside the zip file.