Pages

[JC]

Need the latest Apache 2.4.41 with below OpenSSL fixes.

OpenSSL 1.1.1C < 1.1.1e-dev Procedure Overflow Vulnerability
CVE-2019-1551 (OpenSSL advisory) [Low severity] 06 December 2019:
   -Fixed in OpenSSL 1.1.1e-dev (git commit) (Affected 1.1.1-1.1.1d)
   -This issue was also addressed in OpenSSL 1.0.2u

OpenSSL 1.1.1C < 1.1.1d Multiple Vulnerabilities
CVE-2019-1563 (OpenSSL advisory) [Low severity] 10 September 2019:
   -Fixed in OpenSSL 1.1.1d (git commit) (Affected 1.1.1-1.1.1c)
   -This issue was also addressed in OpenSSL 1.1.0l, OpenSSL 1.0.2t

Reference:  https://www.openssl.org/news/vulnerabilities-1.1.1.html

[Gregg]

We have Apache 2.4.41 with openssl 1.1.1d on our download page.
Edit: I see that is not correct, we're at 1.1.1c. I remember that the CVE didn't effect Apache but sclient but


About that CVE. Methinks (I may be wrong) that this is also yours;
https://www.apachelounge.com/viewtopic.php?p=38830#38830

But let's look at that post, at the bottom

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to OpenSSL version 1.1.1e-dev or later.

So, Nessus is blindly suggesting to upgrade to a dev version. But not just that, the fact that they are not even testing for (because no one yet knows how to screw you with it but the reporter & devs working on the fix) but are relying solely "only on the application's self-reported version number" is shameful and they just want to look like you're getting your moneys worth.

That tells me I could just change the numbers in the source of 1.1.1d and they'd shut up. It would be the same exact code but changing the numbers in 1 file (opensslv.h) would be enough to satisfy them.  They're crying WOLF WOLF WOLF! but haven't bothered to actually see if it is indeed around.

If that post isn't yours, we don't do dev releases except for dev purposes, that's why they are "dev versions," certainly not for production severs. If you 'just have to fix this it probably is a production server.

Compiling OpenSSL in and of itself is two lines at the command line and not that hard. Just replace the DLLs in Apache24/bin. You only need Perl, NASM & the free version of visual studio that matches your Apache.

Code Select Expand


perl Configure VC-WIN64A --prefix=/Apache24 --openssldir=/Apache24/conf enable-camellia no-idea no-mdc2 no-ssl2 no-ssl3 no-zlib
nmake


That way you can have the fix for any other low severity, not very likely to be abused, vulnerability that doesn't warrant an actual release for next time the boy cries wolf.

[JC]

Thanks for your reply. Yes this was from Nessus agent.