The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1] 2   Go Down

Author Topic: Openssl 1.0.1m Security Issue  (Read 8092 times)

ivantsui00

  • Newbie
  • *
  • Offline Offline
  • Posts: 7
Openssl 1.0.1m Security Issue
« on: June 16, 2015, 05:27:05 AM »

According to https://www.openssl.org/news/vulnerabilities.html, there exist newest vulnerability for OpenSSL 1.0.1m which assumed to be fixed in 1.0.1n.   When Apache Haus could have newest windows version of apache to embed newest 1.0.1n to solve those newest vulnerabilities?

On other hand, will this be possible to compile the source code for 1.0.1n to work with existing version of Apache 2.4.12 x64?

Look forward for any response.


 ??? ??? ???
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831
Re: Openssl 1.0.1m Security Issue
« Reply #1 on: June 16, 2015, 06:23:31 AM »

Quote from: ivantsui00
On other hand, will this be possible to compile the source code for 1.0.1n to work with existing version of Apache 2.4.12 x64?

It's possible sure, 1.0.1o now. Here's the problem. We should have already been using 2.4.13 with 1.0.1n but someone vetoed the release to get in a fix for a CVE. The fix was added and 2.4.14 was tagged but the CVE caused a bug. That's been fixed. There is one other issue on the table to being discussed and 2.4.15 will be tagged.

It's a lot of work making all the updates, do we want to do it only to have it be superseded in a few days. Not only that but OpenSSL 1.0.2c, 1.0.1n and 0.9.8zg was released on 11-Jun-2015. I spent most of the day compiling these for all the Apache version (2.4, 2.2, x86 & x64). Then on 12-Jun-2015, 1.0.1o and 1.0.2c were released. So 2/3 of all that time spent was wasted between OpenSSL and ASF.

I assume you are talking of the logjam, a proper ssl configuration and DH Prime > 1024 bit is not vulnerable to logjam even with 1.0.1m as far as I know. 1024 bit DH prime has been a discouraged for over a year now.

Short answer. No. I have to take my mother to a doctor appointment tomorrow in the AM and I have one in the afternoon. I'm hoping 2.4.15 will be tagged tomorrow and I can start working on that in the evening.

It's 9:25pm June 15 here, the tomorrow I speak of is June 16 here.
Logged

ivantsui00

  • Newbie
  • *
  • Offline Offline
  • Posts: 7
Re: Openssl 1.0.1m Security Issue
« Reply #2 on: June 16, 2015, 10:08:37 AM »

 :D :D :D

Thank for information.   We are also interested in CVE-2015-1788 to 1792 so should use 1.0.1n or later.

When the newest apache 2.4.15 or later will be released for download, please help to post me a response as early as possible.

Understand that change of software (i.e. 1.0.1o) will waste your valuable time to compile all of them again.   Hope that no one will reject and no newer software will be released so that able to use newest 2.4.15 asap.

Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831
Re: Openssl 1.0.1m Security Issue
« Reply #3 on: June 16, 2015, 06:20:03 PM »

Quote from: ivantsui00
Hope that no one will reject and no newer software will be released so that able to use newest 2.4.15 asap.

I'm in agreement with you there :)

I always announce new versions of Apache and/or OpenSSL when they become available in the forum and on the front page of the site.
Logged

ivantsui00

  • Newbie
  • *
  • Offline Offline
  • Posts: 7
Re: Openssl 1.0.1m Security Issue
« Reply #4 on: June 17, 2015, 03:43:08 PM »

When you will feel 2.4.15 will be released?   Will this may pass some discussions before release?
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831
Re: Openssl 1.0.1m Security Issue
« Reply #5 on: June 18, 2015, 09:36:42 PM »

How it works;

1. A release is tagged and given out for testing
2. A 72 hour windows is given to test and vote
3. Should there be no votes against in the 72 hours then it is almost there.
4. When the source arrives at http://www.apache.org/dist/httpd it is officially "released" and places like Apache Haus are allowed to release it to users.

As for discussions of 2.4.15:
http://marc.info/?t=143464731600007&r=1&w=2

I just pulled current 2.4 from svn and am going to test it right now. My VC compiler usually complains more than  gcc on unix will, so I want to check out the report by Oli.
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831
Re: Openssl 1.0.1m Security Issue
« Reply #6 on: June 19, 2015, 07:22:39 PM »

#1 has been done
#2 has started

http://marc.info/?t=143473280900001&r=1&w=2
« Last Edit: June 19, 2015, 10:45:34 PM by Gregg »
Logged

ivantsui00

  • Newbie
  • *
  • Offline Offline
  • Posts: 7
Re: Openssl 1.0.1m Security Issue
« Reply #7 on: June 24, 2015, 07:22:34 AM »

 >:( >:( >:(

How the updated status for 2.4.15?   If will develop 2.4.16+ instead?

Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 575
Re: Openssl 1.0.1m Security Issue
« Reply #8 on: June 24, 2015, 12:14:36 PM »

2.4.15 has been opted out [1]. We wait for the voting of 2.4.16



[1] http://marc.info/?l=apache-httpd-dev&m=143497455917852&w=2
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831
Re: Openssl 1.0.1m Security Issue
« Reply #9 on: June 25, 2015, 08:51:58 AM »

We wait for the tag. Voting will not even begin untill that happens.
1 more vote needed on the redirect fix/break/whatever it is.
Logged

mario

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 575
Re: Openssl 1.0.1m Security Issue
« Reply #10 on: June 25, 2015, 09:48:56 AM »

the Status file says that there is only one showstopper left. And I see two votes for that. There are some backports, but I don't know if they make it into the next version.

Quote
RELEASE SHOWSTOPPERS:

  *) mod_alias: Limit Redirect expressions to directory (Location) context
     and redirect statuses (implicit or explicit).
     trunk patch: http://svn.apache.org/r1686853
                  http://svn.apache.org/r1686856
     2.4.x patch: trunk works (modulo CHANGES)

Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831
Re: Openssl 1.0.1m Security Issue
« Reply #11 on: June 25, 2015, 10:02:00 AM »

If they happen to, but there is no waiting around for backport. Fix the reported bug and save the rest for 2.4.x>16.
Logged

ivantsui00

  • Newbie
  • *
  • Offline Offline
  • Posts: 7
Re: Openssl 1.0.1m Security Issue
« Reply #12 on: June 29, 2015, 01:48:42 AM »

From the Apache Release History, 2.4.16 is still under development and no >16 version, if this should be under VOTE and should be able to release to fix the OpenSSL issue?   
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 831
Re: Openssl 1.0.1m Security Issue
« Reply #13 on: June 30, 2015, 02:24:11 AM »

If it passes vote then yes. We got to get to the tag first.
Logged

ivantsui00

  • Newbie
  • *
  • Offline Offline
  • Posts: 7
Re: Openssl 1.0.1m Security Issue
« Reply #14 on: July 08, 2015, 08:27:54 AM »

 ::) ??? :o

How the status of newest version of 2.4.16 still under development to solve security issue about OpenSSL?   

Understand that OpenSSL should have a new release as 1.0.1p mentioned in http://www.openssl.org/.




Logged
Pages: [1] 2   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13