Pages

[Gregg]

OpenSSL updated to 1.1.1g
This OpenSSL update covers 1 high severity vulnerability.

Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

  *) Fixed segmentation fault in SSL_check_chain()
     Server or client applications that call the SSL_check_chain() function
     during or after a TLS 1.3 handshake may crash due to a NULL pointer
     dereference as a result of incorrect handling of the
     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
     or unrecognised signature algorithm is received from the peer. This could
     be exploited by a malicious peer in a Denial of Service attack.
     (CVE-2020-1967)
     [Benjamin Kaduk]

The other change does not apply as we do not build with no-asm.

  *) Added AES consttime code for no-asm configurations
     an optional constant time support for AES was added
     when building openssl for no-asm.
     Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
     Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
     At this time this feature is by default disabled.
     It will be enabled by default in 3.0.
     [Bernd Edlinger]


You can get your copy of the updated Apache HTTP Server from our download page.

[Gregg]

Forgot to mention.

mod_http2
This also come with the fix for the problem mentioned here: https://forum.apachehaus.com/index.php?topic=1614.0

The patch used has been included as well inside the zip file.