The Apache Haus Forum

Advanced search  

News:

Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: OpenSSL 1.0.0h & 0.9.8u have been released, we're not yet however  (Read 1889 times)

Gregg

  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 844

OpenSSL has released 1.0.0h and 0.9.8u. It's a security fix for the Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA). One thing noted however in the security advisory [1] is;

Quote
SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code.

Since Apache IS an SSL/TLS enabled application and the above statement is currently true of mod_ssl, I do not feel it is necessary to release OpenSSL upgrades at this time. Obviously this version (or possible future version) will be in our distributions of 2.2 and 2.4.next since we always build with the current versions of OpenSSL, PCRE and zlib on 2.2.x, those plus libxml2 and lua on 2.4.x.


[1] http://www.openssl.org/news/secadv_20120312.txt
Logged
Pages: [1]   Go Up
 

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13