The Apache Haus Forum

Forum Topics => Security, Firewalls, Nat, and More => Topic started by: ivantsui00 on June 16, 2015, 05:27:05 AM

Title: Openssl 1.0.1m Security Issue
Post by: ivantsui00 on June 16, 2015, 05:27:05 AM
According to https://www.openssl.org/news/vulnerabilities.html, there exist newest vulnerability for OpenSSL 1.0.1m which assumed to be fixed in 1.0.1n.   When Apache Haus could have newest windows version of apache to embed newest 1.0.1n to solve those newest vulnerabilities?

On other hand, will this be possible to compile the source code for 1.0.1n to work with existing version of Apache 2.4.12 x64?

Look forward for any response.


 ??? ??? ???
Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on June 16, 2015, 06:23:31 AM
Quote from: ivantsui00
On other hand, will this be possible to compile the source code for 1.0.1n to work with existing version of Apache 2.4.12 x64?

It's possible sure, 1.0.1o now. Here's the problem. We should have already been using 2.4.13 with 1.0.1n but someone vetoed the release to get in a fix for a CVE. The fix was added and 2.4.14 was tagged but the CVE caused a bug. That's been fixed. There is one other issue on the table to being discussed and 2.4.15 will be tagged.

It's a lot of work making all the updates, do we want to do it only to have it be superseded in a few days. Not only that but OpenSSL 1.0.2c, 1.0.1n and 0.9.8zg was released on 11-Jun-2015. I spent most of the day compiling these for all the Apache version (2.4, 2.2, x86 & x64). Then on 12-Jun-2015, 1.0.1o and 1.0.2c were released. So 2/3 of all that time spent was wasted between OpenSSL and ASF.

I assume you are talking of the logjam, a proper ssl configuration and DH Prime > 1024 bit is not vulnerable to logjam even with 1.0.1m as far as I know. 1024 bit DH prime has been a discouraged for over a year now.

Short answer. No. I have to take my mother to a doctor appointment tomorrow in the AM and I have one in the afternoon. I'm hoping 2.4.15 will be tagged tomorrow and I can start working on that in the evening.

It's 9:25pm June 15 here, the tomorrow I speak of is June 16 here.
Title: Re: Openssl 1.0.1m Security Issue
Post by: ivantsui00 on June 16, 2015, 10:08:37 AM
 :D :D :D

Thank for information.   We are also interested in CVE-2015-1788 to 1792 so should use 1.0.1n or later.

When the newest apache 2.4.15 or later will be released for download, please help to post me a response as early as possible.

Understand that change of software (i.e. 1.0.1o) will waste your valuable time to compile all of them again.   Hope that no one will reject and no newer software will be released so that able to use newest 2.4.15 asap.

Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on June 16, 2015, 06:20:03 PM
Quote from: ivantsui00
Hope that no one will reject and no newer software will be released so that able to use newest 2.4.15 asap.

I'm in agreement with you there :)

I always announce new versions of Apache and/or OpenSSL when they become available in the forum and on the front page of the site.
Title: Re: Openssl 1.0.1m Security Issue
Post by: ivantsui00 on June 17, 2015, 03:43:08 PM
When you will feel 2.4.15 will be released?   Will this may pass some discussions before release?
Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on June 18, 2015, 09:36:42 PM
How it works;

1. A release is tagged and given out for testing
2. A 72 hour windows is given to test and vote
3. Should there be no votes against in the 72 hours then it is almost there.
4. When the source arrives at http://www.apache.org/dist/httpd it is officially "released" and places like Apache Haus are allowed to release it to users.

As for discussions of 2.4.15:
http://marc.info/?t=143464731600007&r=1&w=2

I just pulled current 2.4 from svn and am going to test it right now. My VC compiler usually complains more than  gcc on unix will, so I want to check out the report by Oli.
Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on June 19, 2015, 07:22:39 PM
#1 has been done
#2 has started

http://marc.info/?t=143473280900001&r=1&w=2
Title: Re: Openssl 1.0.1m Security Issue
Post by: ivantsui00 on June 24, 2015, 07:22:34 AM
 >:( >:( >:(

How the updated status for 2.4.15?   If will develop 2.4.16+ instead?

Title: Re: Openssl 1.0.1m Security Issue
Post by: mario on June 24, 2015, 12:14:36 PM
2.4.15 has been opted out [1]. We wait for the voting of 2.4.16



[1] http://marc.info/?l=apache-httpd-dev&m=143497455917852&w=2
Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on June 25, 2015, 08:51:58 AM
We wait for the tag. Voting will not even begin untill that happens.
1 more vote needed on the redirect fix/break/whatever it is.
Title: Re: Openssl 1.0.1m Security Issue
Post by: mario on June 25, 2015, 09:48:56 AM
the Status file says that there is only one showstopper left. And I see two votes for that. There are some backports, but I don't know if they make it into the next version.

Quote
RELEASE SHOWSTOPPERS:

  *) mod_alias: Limit Redirect expressions to directory (Location) context
     and redirect statuses (implicit or explicit).
     trunk patch: http://svn.apache.org/r1686853
                  http://svn.apache.org/r1686856
     2.4.x patch: trunk works (modulo CHANGES)

Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on June 25, 2015, 10:02:00 AM
If they happen to, but there is no waiting around for backport. Fix the reported bug and save the rest for 2.4.x>16.
Title: Re: Openssl 1.0.1m Security Issue
Post by: ivantsui00 on June 29, 2015, 01:48:42 AM
From the Apache Release History, 2.4.16 is still under development and no >16 version, if this should be under VOTE and should be able to release to fix the OpenSSL issue?   
Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on June 30, 2015, 02:24:11 AM
If it passes vote then yes. We got to get to the tag first.
Title: Re: Openssl 1.0.1m Security Issue
Post by: ivantsui00 on July 08, 2015, 08:27:54 AM
 ::) ??? :o

How the status of newest version of 2.4.16 still under development to solve security issue about OpenSSL?   

Understand that OpenSSL should have a new release as 1.0.1p mentioned in http://www.openssl.org/.




Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on July 08, 2015, 10:34:08 PM
It (2.4.16 & 2.2.30) looks good to go, hoping they will tag them today or tomorrow.
As for OpenSSL 1.0.1p, seeing it's severity rating is "High", I'll wait till it arrives as well.
Title: Re: Openssl 1.0.1m Security Issue
Post by: mario on July 14, 2015, 05:39:53 PM
The voting is done. Soon there will be 2.4 binaries.
Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on July 14, 2015, 08:09:34 PM
Yup, and I have them ready to go I just have to make them visible on the download page. Doing so  now.
Title: Re: Openssl 1.0.1m Security Issue
Post by: jowi on July 14, 2015, 09:08:26 PM
Will there also be an apache 2.2.29 openssl 1.0.1P update ?

Thanks in advance for the hard work you guys do to make my life easy ;)
Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on July 14, 2015, 11:49:23 PM
Hi jowi,

No, there should be an Apache 2.2.31 with the latest OpenSSL releases in a couple of days. 2.2.30 failed to build on Windows but it was a easy fix and should not stall the release of 2.2.31.
Title: Re: Openssl 1.0.1m Security Issue
Post by: ivantsui00 on July 27, 2015, 03:55:19 AM

Under Apache Release History, the 2.4.16 is still in development?

However, under download, what is difference between Apache 2.4.x VC9 and Apache 2.4.x VC11?

Please advise.
Title: Re: Openssl 1.0.1m Security Issue
Post by: mario on July 27, 2015, 09:56:27 AM
The Source code is the same. The difference is the Visual C++ / Visual Studio version.
Title: Re: Openssl 1.0.1m Security Issue
Post by: Gregg on July 29, 2015, 03:46:20 AM
Under Apache Release History, the 2.4.16 is still in development?

That Release History is at the very bottom of priority when trying to get releases out. If it were a temperature it would be absolute 0. I tend to completely forget but often come back later and clean it up. The information can be gathered elsewhere too, the STATUS file in each of the branches in SVN http://svn.apache.org/viewvc/httpd/httpd/branches/

But you will notice it just mentioned the date it was tagged and released to developers for testing and voting, not the actual release date which looks like July 14.