The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: Apache 2.4.43 with updated OpenSSL availabe  (Read 1946 times)

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 872
Apache 2.4.43 with updated OpenSSL availabe
« on: April 22, 2020, 03:41:37 AM »

OpenSSL updated to 1.1.1g
This OpenSSL update covers 1 high severity vulnerability.

 Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

  *) Fixed segmentation fault in SSL_check_chain()
     Server or client applications that call the SSL_check_chain() function
     during or after a TLS 1.3 handshake may crash due to a NULL pointer
     dereference as a result of incorrect handling of the
     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
     or unrecognised signature algorithm is received from the peer. This could
     be exploited by a malicious peer in a Denial of Service attack.
     (CVE-2020-1967)
     [Benjamin Kaduk]

The other change does not apply as we do not build with no-asm.

  *) Added AES consttime code for no-asm configurations
     an optional constant time support for AES was added
     when building openssl for no-asm.
     Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
     Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
     At this time this feature is by default disabled.
     It will be enabled by default in 3.0.
     [Bernd Edlinger]


You can get your copy of the updated Apache HTTP Server from our download page.
Logged

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 872
Re: Apache 2.4.43 with updated OpenSSL availabe
« Reply #1 on: April 22, 2020, 03:47:45 AM »

Forgot to mention.

mod_http2
This also come with the fix for the problem mentioned here: https://forum.apachehaus.com/index.php?topic=1614.0

The patch used has been included as well inside the zip file.
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13