Print

[blue]

Hi,

I can't seem to find the download on your site for the OpenSSL 1.0.0d upgrade for 2.2.17-ssl-sni-x64.  I'd rather not have to completely upgrade my entire Apache install but only the OpenSSL portion, if possible.

Many thanks,
blue

[Gregg]

Yes, I removed it when 2.2.18 arrived. Normally I'd say why not just upgrade it all, but alas, due to problems in the APR & APR-Utill that came with them, there is going to be a 2.2.19 in a week most likely.

Upgrading is easy however, you really only need to copy the bin and modules folder from the package over the ones you have existing. If you can hold out a week, it would be best to upgrade the whole thing. 2.2.19 will come with OSSL 1.0.0d, or 1.0.0e if that comes around the next couple days. There is a CVE concerning the APR/APR-Util that came with 2.2.17, these are security issues, which is why it is best to upgrade instead of hanging with old versions.  It is for this reason I do not want to hand it to you. Make me believe there is a good reason I should which will allow you to not upgrade Apache and I will give it to you.

Curious, why did you not upgrade the OpenSSL package while the upgrade for 2.2.17 was available?

[blue]

Thanks for the follow-up.

If I only need to copy the bin and module folders, then I can probably just use 2.2.18.  I was browsing the forums and it seemed that it was a more complex upgrade path.  My concern was that since Apache is just one but very important component in my technology stack and I'm a little fuzzy on how it integrates with my J2EE server (JRun/ColdFusion) and Windows 2008 x64, I  wanted to simply upgrade the OpenSSL portion.

I didn't upgrade earlier since I wasn't aware of the update.  There was a vulnerability scan run on my systems and I was informed my current OpenSSL module needed to be upgraded to 1.0.0d.

[Gregg]

There is a binary incompatibility in 2.2.18, which is why they are putting out at 2.2.19 as soon as the APR & APU passes testing and is released. There is always one thing to do before upgrading, back up your existing first. If need be you can always return to previous version. It is looking like Monday or Tuesday for 2.2.19 if all goes well. If you cannot wait that long, I'll let you at the 1.0.0d upgrade for 2.2.17.

[blue]

I can probably put off the upgrade till COB Monday.  If I upgrade to 2.2.19, do I still only replace the bin and module folders in my 2.2.17?

Thanks, again.
blue

[Gregg]

Yes, that is all you have do, I always update the include and lib folders, but that is only needed if you want to build modules.

Any one 2.2 release has to be binary compatible with the prior 2.2 for reasons of module compatibility. They have broken it before in 2.2.9 (which required a change in mod_fcgid), and they did just again in 2.2.18, but it was by accident this time and they have reverted that change. So, any third party module you are using should be just fine.

It also looks like it will be tomorrow or Sunday, the test source is up and voting is only for 24 hours this time. But, I hate to predict when any release is going to happen cause I am always proved wrong 

[blue]

Great news!! I look forward to downloading the file and will let you know how the upgrade goes.  Have a good weekend :-)

[blue]

I updated my 2.2.17 install with the the lib, include, bin and modules folders from 2.2.19 and everything worked like a charm!! 

Thanks again for all your help!!