Openssl 1.0.1m Security Issue

Started by ivantsui00, June 16, 2015, 05:27:05 AM

Previous topic - Next topic

ivantsui00

According to https://www.openssl.org/news/vulnerabilities.html, there exist newest vulnerability for OpenSSL 1.0.1m which assumed to be fixed in 1.0.1n.   When Apache Haus could have newest windows version of apache to embed newest 1.0.1n to solve those newest vulnerabilities?

On other hand, will this be possible to compile the source code for 1.0.1n to work with existing version of Apache 2.4.12 x64?

Look forward for any response.


??? ??? ???

Gregg

Quote from: ivantsui00
On other hand, will this be possible to compile the source code for 1.0.1n to work with existing version of Apache 2.4.12 x64?

It's possible sure, 1.0.1o now. Here's the problem. We should have already been using 2.4.13 with 1.0.1n but someone vetoed the release to get in a fix for a CVE. The fix was added and 2.4.14 was tagged but the CVE caused a bug. That's been fixed. There is one other issue on the table to being discussed and 2.4.15 will be tagged.

It's a lot of work making all the updates, do we want to do it only to have it be superseded in a few days. Not only that but OpenSSL 1.0.2c, 1.0.1n and 0.9.8zg was released on 11-Jun-2015. I spent most of the day compiling these for all the Apache version (2.4, 2.2, x86 & x64). Then on 12-Jun-2015, 1.0.1o and 1.0.2c were released. So 2/3 of all that time spent was wasted between OpenSSL and ASF.

I assume you are talking of the logjam, a proper ssl configuration and DH Prime > 1024 bit is not vulnerable to logjam even with 1.0.1m as far as I know. 1024 bit DH prime has been a discouraged for over a year now.

Short answer. No. I have to take my mother to a doctor appointment tomorrow in the AM and I have one in the afternoon. I'm hoping 2.4.15 will be tagged tomorrow and I can start working on that in the evening.

It's 9:25pm June 15 here, the tomorrow I speak of is June 16 here.

ivantsui00

 :D :D :D

Thank for information.   We are also interested in CVE-2015-1788 to 1792 so should use 1.0.1n or later.

When the newest apache 2.4.15 or later will be released for download, please help to post me a response as early as possible.

Understand that change of software (i.e. 1.0.1o) will waste your valuable time to compile all of them again.   Hope that no one will reject and no newer software will be released so that able to use newest 2.4.15 asap.


Gregg

Quote from: ivantsui00Hope that no one will reject and no newer software will be released so that able to use newest 2.4.15 asap.

I'm in agreement with you there :)

I always announce new versions of Apache and/or OpenSSL when they become available in the forum and on the front page of the site.

ivantsui00

When you will feel 2.4.15 will be released?   Will this may pass some discussions before release?

Gregg

How it works;

1. A release is tagged and given out for testing
2. A 72 hour windows is given to test and vote
3. Should there be no votes against in the 72 hours then it is almost there.
4. When the source arrives at http://www.apache.org/dist/httpd it is officially "released" and places like Apache Haus are allowed to release it to users.

As for discussions of 2.4.15:
http://marc.info/?t=143464731600007&r=1&w=2

I just pulled current 2.4 from svn and am going to test it right now. My VC compiler usually complains more than  gcc on unix will, so I want to check out the report by Oli.

Gregg

#6
#1 has been done
#2 has started

http://marc.info/?t=143473280900001&r=1&w=2

ivantsui00

 >:( >:( >:(

How the updated status for 2.4.15?   If will develop 2.4.16+ instead?


mario


Gregg

We wait for the tag. Voting will not even begin untill that happens.
1 more vote needed on the redirect fix/break/whatever it is.

mario

the Status file says that there is only one showstopper left. And I see two votes for that. There are some backports, but I don't know if they make it into the next version.

QuoteRELEASE SHOWSTOPPERS:

  *) mod_alias: Limit Redirect expressions to directory (Location) context
     and redirect statuses (implicit or explicit).
     trunk patch: http://svn.apache.org/r1686853
                  http://svn.apache.org/r1686856
     2.4.x patch: trunk works (modulo CHANGES)


Gregg

If they happen to, but there is no waiting around for backport. Fix the reported bug and save the rest for 2.4.x>16.

ivantsui00

From the Apache Release History, 2.4.16 is still under development and no >16 version, if this should be under VOTE and should be able to release to fix the OpenSSL issue?   

Gregg

If it passes vote then yes. We got to get to the tag first.

ivantsui00

 ::) ??? :o

How the status of newest version of 2.4.16 still under development to solve security issue about OpenSSL?   

Understand that OpenSSL should have a new release as 1.0.1p mentioned in http://www.openssl.org/.