logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: Apache 2.2.27 available :: Updated with OpenSSL 1.0.1g
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Sun 23 Mar '14 21:36    Post subject: Apache 2.2.27 available :: Updated with OpenSSL 1.0.1g Reply with quote

Apache 2.2.27 Win32 and Win64 VC9/VC10 are now available here at the download pages.

8 April 2014: Updated OpenSSL to 1.0.1g from 1.0.1f (see below)

Changelog http://www.apachelounge.com/Changelog.html

Documentation: http://httpd.apache.org/docs/2.2/

Apache 2.2 is "old" now. This 2.2 is just maintenance for those unable to upgrade to 2.4 at this time.

Consider this as the latest 2.2 release.

We consider the Apache HTTP Server 2.4.9 release to be the best version of Apache available, and encourage users of 2.0 and 2.2 versions to upgrade. More info 2.4, see http://httpd.apache.org/docs/2.4/ attention there when you want to Upgrade to 2.4.

When you have hangs, slow traffic and/or having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:

Win32DisableAcceptEx
EnableSendfile Off
EnableMMAP off



Enjoy,

Steffen
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Tue 08 Apr '14 20:52    Post subject: Reply with quote

Updated the builds with 1.0.1g OpenSSL from 1.0.1f.

Be sure you not download a cached former one, empty your browser cache.
Check the ReadMe.txt in the .zip.



The update fixes the serious vulnerability The Heartbleed Bug.

More info at: www.apachelounge.com/viewtopic.php?p=27305

Steffen


Changes between 1.0.1f and 1.0.1g

*) A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server (The Heartbleed Bug).

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley and Bodo Moeller for preparing the fix (CVE-2014-0160)

*) Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
[Yuval Yarom and Naomi Benger]

*) TLS pad extension: draft-agl-tls-padding-03

Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
TLS client Hello record length value would otherwise be > 255 and
less that 512 pad with a dummy extension containing zeroes so it
is at least 512 bytes long. [Adam Langley, Steve Henson]
Back to top
feniix



Joined: 08 Apr 2014
Posts: 2
Location: Chicago

PostPosted: Wed 09 Apr '14 15:39    Post subject: Reply with quote

Hello Steffen,

Are you guys looking into a precise timeline to release 2.2.27 with openssl 1.0.1g for 32 bits with vc10 or vc9?

I reply to myself: it is already done.

I didn't see the first post.

Just a note, the descriptions in the download files (http://www.apachelounge.com/download/win32/) have not been updated to reflect the upgrade of openssl to 1.0.1g
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 677

PostPosted: Wed 09 Apr '14 15:55    Post subject: Reply with quote

The descriptions (Readme.txt) are up to date in the .zip's.

Be sure you not download the cached former one, empty your browser cache.
Back to top
mlp



Joined: 06 Jun 2014
Posts: 4

PostPosted: Fri 06 Jun '14 16:19    Post subject: Re: Apache 2.2.27 available :: Updated Reply with quote

Looking forward to 2.2.27 VC10 with OpenSSL 1.0.1h. We keep the windows servers on Apache 2.2 for consistency, since all mayor linux distributions still use 2.2.
Back to top


Reply to topic   Topic: Apache 2.2.27 available :: Updated with OpenSSL 1.0.1g View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout