OpenSSL 1.1.1q

Started by iexam1, July 22, 2022, 11:09:48 PM

Previous topic - Next topic

iexam1

OpenSSL released version 1.1.1q on 7/5/22 Any plans to make 2.4.54 available with 1.1.1q ?

Gregg

Hi,

Apache uses OpenSSL only for Transport Layer Security (TLS).
Per the OpenSSL project;

Changes between 1.1.1p and 1.1.1q [5 Jul 2022]

  *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
    implementation would not encrypt the entirety of the data under some
    circumstances.  This could reveal sixteen bytes of data that was
    preexisting in the memory that wasn't written.  In the special case of
    "in place" encryption, sixteen bytes of the plaintext would be revealed.

    Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
    they are both unaffected.

    (CVE-2022-2097)


So no, we will not rebuild 2.4.54 with 1.1.1q since we are not vulnerable. When Apache 2.4.55+ comes out, we will use the most current OpenSSL version at that time which may still be 1.1.1q. If OpenSSL 1.1.1r comes out first, and if it affects Apache, we will rebuild then.