The Apache Haus Forum

Advanced search  


Welcome to Apache Haus Distribution Forum

Pages: [1]   Go Down

Author Topic: OpenSSL 1.0.0h & 0.9.8u have been released, we're not yet however  (Read 2186 times)


  • Administrator
  • Member Elite
  • *****
  • Offline Offline
  • Posts: 870

OpenSSL has released 1.0.0h and 0.9.8u. It's a security fix for the Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA). One thing noted however in the security advisory [1] is;

SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code.

Since Apache IS an SSL/TLS enabled application and the above statement is currently true of mod_ssl, I do not feel it is necessary to release OpenSSL upgrades at this time. Obviously this version (or possible future version) will be in our distributions of 2.2 and since we always build with the current versions of OpenSSL, PCRE and zlib on 2.2.x, those plus libxml2 and lua on 2.4.x.

Pages: [1]   Go Up

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13