OpenSSL released version 1.1.1q on 7/5/22 Any plans to make 2.4.54 available with 1.1.1q ?
Hi,
Apache uses OpenSSL only for Transport Layer Security (TLS).
Per the OpenSSL project;
Changes between 1.1.1p and 1.1.1q [5 Jul 2022]
*) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation would not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written. In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
they are both unaffected.
(CVE-2022-2097)
So no, we will not rebuild 2.4.54 with 1.1.1q since we are not vulnerable. When Apache 2.4.55+ comes out, we will use the most current OpenSSL version at that time which may still be 1.1.1q. If OpenSSL 1.1.1r comes out first, and if it affects Apache, we will rebuild then.
Is there a way to get emails when the new version of OpenSSL is applied to an update? Eg. OpenSSL 1.1.1t.
Or a way to get emails when announcements are posted? I am new to the forum, and I appreciate any answers I am given; thank you! :)
You can use the RSS of this forum for updates. Plus the forum allows you to receive mails from the announcements.
See also https://forum.apachehaus.com/news-general-discussion/how-can-i-watch-release-announcements/