According to https://www.openssl.org/news/vulnerabilities.html, there exist newest vulnerability for OpenSSL 1.0.1m which assumed to be fixed in 1.0.1n. When Apache Haus could have newest windows version of apache to embed newest 1.0.1n to solve those newest vulnerabilities?
On other hand, will this be possible to compile the source code for 1.0.1n to work with existing version of Apache 2.4.12 x64?
Look forward for any response.
??? ??? ???
Quote from: ivantsui00
On other hand, will this be possible to compile the source code for 1.0.1n to work with existing version of Apache 2.4.12 x64?
It's possible sure, 1.0.1o now. Here's the problem. We should have already been using 2.4.13 with 1.0.1n but someone vetoed the release to get in a fix for a CVE. The fix was added and 2.4.14 was tagged but the CVE caused a bug. That's been fixed. There is one other issue on the table to being discussed and 2.4.15 will be tagged.
It's a lot of work making all the updates, do we want to do it only to have it be superseded in a few days. Not only that but OpenSSL 1.0.2c, 1.0.1n and 0.9.8zg was released on 11-Jun-2015. I spent most of the day compiling these for all the Apache version (2.4, 2.2, x86 & x64). Then on 12-Jun-2015, 1.0.1o and 1.0.2c were released. So 2/3 of all that time spent was wasted between OpenSSL and ASF.
I assume you are talking of the logjam, a proper ssl configuration and DH Prime > 1024 bit is not vulnerable to logjam even with 1.0.1m as far as I know. 1024 bit DH prime has been a discouraged for over a year now.
Short answer. No. I have to take my mother to a doctor appointment tomorrow in the AM and I have one in the afternoon. I'm hoping 2.4.15 will be tagged tomorrow and I can start working on that in the evening.
It's 9:25pm June 15 here, the tomorrow I speak of is June 16 here.
:D :D :D
Thank for information. We are also interested in CVE-2015-1788 to 1792 so should use 1.0.1n or later.
When the newest apache 2.4.15 or later will be released for download, please help to post me a response as early as possible.
Understand that change of software (i.e. 1.0.1o) will waste your valuable time to compile all of them again. Hope that no one will reject and no newer software will be released so that able to use newest 2.4.15 asap.
Quote from: ivantsui00Hope that no one will reject and no newer software will be released so that able to use newest 2.4.15 asap.
I'm in agreement with you there :)
I always announce new versions of Apache and/or OpenSSL when they become available in the forum and on the front page of the site.
When you will feel 2.4.15 will be released? Will this may pass some discussions before release?
How it works;
1. A release is tagged and given out for testing
2. A 72 hour windows is given to test and vote
3. Should there be no votes against in the 72 hours then it is almost there.
4. When the source arrives at http://www.apache.org/dist/httpd it is officially "released" and places like Apache Haus are allowed to release it to users.
As for discussions of 2.4.15:
http://marc.info/?t=143464731600007&r=1&w=2
I just pulled current 2.4 from svn and am going to test it right now. My VC compiler usually complains more than gcc on unix will, so I want to check out the report by Oli.
#1 has been done
#2 has started
http://marc.info/?t=143473280900001&r=1&w=2
>:( >:( >:(
How the updated status for 2.4.15? If will develop 2.4.16+ instead?
2.4.15 has been opted out [1]. We wait for the voting of 2.4.16
[1] http://marc.info/?l=apache-httpd-dev&m=143497455917852&w=2
We wait for the tag. Voting will not even begin untill that happens.
1 more vote needed on the redirect fix/break/whatever it is.
the Status file says that there is only one showstopper left. And I see two votes for that. There are some backports, but I don't know if they make it into the next version.
QuoteRELEASE SHOWSTOPPERS:
*) mod_alias: Limit Redirect expressions to directory (Location) context
and redirect statuses (implicit or explicit).
trunk patch: http://svn.apache.org/r1686853
http://svn.apache.org/r1686856
2.4.x patch: trunk works (modulo CHANGES)
If they happen to, but there is no waiting around for backport. Fix the reported bug and save the rest for 2.4.x>16.
From the Apache Release History, 2.4.16 is still under development and no >16 version, if this should be under VOTE and should be able to release to fix the OpenSSL issue?
If it passes vote then yes. We got to get to the tag first.
::) ??? :o
How the status of newest version of 2.4.16 still under development to solve security issue about OpenSSL?
Understand that OpenSSL should have a new release as 1.0.1p mentioned in http://www.openssl.org/.
It (2.4.16 & 2.2.30) looks good to go, hoping they will tag them today or tomorrow.
As for OpenSSL 1.0.1p, seeing it's severity rating is "High", I'll wait till it arrives as well.
The voting is done. Soon there will be 2.4 binaries.
Yup, and I have them ready to go I just have to make them visible on the download page. Doing so now.
Will there also be an apache 2.2.29 openssl 1.0.1P update ?
Thanks in advance for the hard work you guys do to make my life easy ;)
Hi jowi,
No, there should be an Apache 2.2.31 with the latest OpenSSL releases in a couple of days. 2.2.30 failed to build on Windows but it was a easy fix and should not stall the release of 2.2.31.
Under Apache Release History, the 2.4.16 is still in development?
However, under download, what is difference between Apache 2.4.x VC9 and Apache 2.4.x VC11?
Please advise.
The Source code is the same. The difference is the Visual C++ / Visual Studio version.
Quote from: ivantsui00 on July 27, 2015, 03:55:19 AM
Under Apache Release History, the 2.4.16 is still in development?
That Release History is at the very bottom of priority when trying to get releases out. If it were a temperature it would be absolute 0. I tend to completely forget but often come back later and clean it up. The information can be gathered elsewhere too, the STATUS file in each of the branches in SVN http://svn.apache.org/viewvc/httpd/httpd/branches/
But you will notice it just mentioned the date it was tagged and released to developers for testing and voting, not the actual release date which looks like July 14.