The Apache Haus Forum

Forum Topics => Announcements => Topic started by: Gregg on December 10, 2020, 07:41:21 AM

Title: Apache 2.4.46 with updated OpenSSL 1.1.1i or LibreSSL 3.2.3 available
Post by: Gregg on December 10, 2020, 07:41:21 AM
Without much fanfare, both the OpenSSL and LibreSSL releases have been updated.


  Changes between 1.1.1h and 1.1.1i [8 Dec 2020]

  *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
     This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
     If an attacker can control both items being compared  then this could lead
     to a possible denial of service attack. OpenSSL itself uses the
     GENERAL_NAME_cmp function for two purposes:
     1) Comparing CRL distribution point names between an available CRL and a
        CRL distribution point embedded in an X509 certificate
     2) When verifying that a timestamp response token signer matches the
        timestamp authority name (exposed via the API functions
        TS_RESP_verify_response and TS_RESP_verify_token)
     [Matt Caswell]

  *) The security callback, which can be customised by application code, supports
     the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
     in the "other" parameter. In most places this is what is passed. All these
     places occur server side. However there was one client side call of this
     security operation and it passed a DH object instead. This is incorrect
     according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
     of the other locations. Therefore this client side call has been changed to
     pass an EVP_PKEY instead.
     [Matt Caswell]

  *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
     when validating a certificate path. This check is restored in 1.1.1i.
     [David von Oheimb]

Changes between LibreSSL 3.1.4 and 3.2.3  [08 Dec 2020] development development stable, not released by Apache Haus stable

Other dependencies updates:

Curl updated to 7.74.0
NGHTTP2 updated to 1.42.0
SQLite3 updated to 3.34.0

As always, you can get your copy of the updated Apache HTTP Server from our download page (