Forum Topics > Announcements

Apache 2.4.38 with updated OpenSSL 1.0.2r & 1.1.1b now availabe


OpenSSL updated to 1.0.2r or 1.1.1b

This update fixes a moderate severity padding oracle vulnerability (CVE-2019-1559) in OpenSSL 1.0.2-1.0.2q that could be used by a remote peer to decrypt data. It has caveats that required which it is why it is only rated as moderate? Stll, the possibility to decrypt the data is dangerous enough to want to plug that hole, no matter how remote.

For OpenSSL 1.1.1, this is simply a bug fix release. Squashing bugs is good no? If you have not read my post from yesterday you may be surprised to find Apache with OpenSSL 1.1.1 has moved to VC15, You can read about it at the link. Note that until I get the modules built in VC15, you can still use your vc14 modules. I wii start working on the tonight and should have them done by March 4 at the latest. You should be able to expect the same modules currently available to VC14 builds.

You are our binary hero!  ;D


[0] Message Index

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13 
Go to full version