Pages

[Gregg]

OpenSSL has released 1.0.0h and 0.9.8u. It's a security fix for the Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
also known as the million message attack (MMA). One thing noted however in the security advisory [1] is;

SSL/TLS applications are *NOT* affected by this problem since the SSL/TLS code does not use the PKCS#7 or CMS decryption code.

Since Apache IS an SSL/TLS enabled application and the above statement is currently true of mod_ssl, I do not feel it is necessary to release OpenSSL upgrades at this time. Obviously this version (or possible future version) will be in our distributions of 2.2 and 2.4.next since we always build with the current versions of OpenSSL, PCRE and zlib on 2.2.x, those plus libxml2 and lua on 2.4.x.


[1] http://www.openssl.org/news/secadv_20120312.txt