logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Critical Security Vulnerabilty: Upgrade to OpenSSL 1.0.1g
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Apache Forum Index -> News & Hangout



View previous topic :: View next topic  
Author Message
nicklowe



Joined: 15 Apr 2007
Posts: 8

PostPosted: Tue 08 Apr '14 6:33    Post subject: Critical Security Vulnerabilty: Upgrade to OpenSSL 1.0.1g Reply with quote

Please can we have a build with OpenSSL 1.0.1g included to close CVE-2014-0160, a critical security vulnerability:

https://www.openssl.org/news/secadv_20140407.txt

http://heartbleed.com/

Thanks,

Nick
Back to top
jraute



Joined: 13 Sep 2013
Posts: 187
Location: Rheinland, Germany

PostPosted: Tue 08 Apr '14 10:27    Post subject: Reply with quote

Yes, that is absolutely critical!!!

Pls support us with a new version.

Thanks!
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Tue 08 Apr '14 11:19    Post subject: Reply with quote

VC11 build updated with OpenSSL 1.0.1g, VC9 and Vc10 follows
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Tue 08 Apr '14 11:31    Post subject: Reply with quote

You can test your server with http://possible.lv/tools/hb
Back to top
jraute



Joined: 13 Sep 2013
Posts: 187
Location: Rheinland, Germany

PostPosted: Tue 08 Apr '14 13:45    Post subject: Reply with quote

The new version runs like a charm!

Thanks!
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 794
Location: Amsterdam, NL, EU

PostPosted: Tue 08 Apr '14 19:45    Post subject: Reply with quote

Is not it just enough to replace the 1.0.1f dll's (ssleay32.dll & libeay32.dll) by the 1.0.1g versions? That would be a quick fix with almost no downtime needed.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 794
Location: Amsterdam, NL, EU

PostPosted: Tue 08 Apr '14 20:37    Post subject: Reply with quote

James Blond wrote:
You can test your server with http://possible.lv/tools/hb

On a Win2k8 server with Apache 2.4 VC9 OpenSSL 1.0.1f this test results in 'Your server appears to be unaffected.'

On a Centos 6.5 server Apache 2.4 with a patched OpenSSL 1.0.1e the test states 'Your server appears to be patched against this bug.'

Did anyone get a positive result (=affected) from this test, especially on Windows servers?
Back to top
lambacck



Joined: 18 Dec 2008
Posts: 3
Location: Burlington, Ontario, Canada

PostPosted: Tue 08 Apr '14 20:40    Post subject: Reply with quote

Jan-E:

I have heard reports that some testing tools are unreliable (showing not vulnerable) due to load. I got a failing result using the ssl labs test ( https://www.ssllabs.com/ssltest) earlier today for a 2.2 build from this site.

-Chris
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Tue 08 Apr '14 22:22    Post subject: Reply with quote

Jan-E wrote:

Did anyone get a positive result (=affected) from this test, especially on Windows servers?


Yepp I did! I did the test before and after patching. On the first one I got a positive result.

For example netfisca fr still is affected
Back to top
jraute



Joined: 13 Sep 2013
Posts: 187
Location: Rheinland, Germany

PostPosted: Tue 08 Apr '14 22:50    Post subject: Reply with quote

Yes, we had positive results before and negative results after patching - so openssl 1.0.1g works.

Btw security can only be provided by exchanging the keys!!!
(Who can prove/confirm that the private key(s) have not been compromised in the past?)
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 794
Location: Amsterdam, NL, EU

PostPosted: Tue 08 Apr '14 23:01    Post subject: Reply with quote

The possible.tv test was very specific in its error messages, which made it credible.

However, SSLlabs said my Win2K8 server was vulnerable. I took Apache down for a few moments and replaced the ???eay32.dll's. After this action SSLlabs said that the server was not vulnerable anymore. Replacing htr DLL's proved to be a quick fix...
Back to top
Tina



Joined: 23 Jan 2014
Posts: 5

PostPosted: Wed 09 Apr '14 8:04    Post subject: Apache 2.4 win32 VC10 Reply with quote

I would urgently need Apache 2.4 win32 VC10 updated but when I go on download page it still says it uses the openssl version openssl-1.0.1f

Do you have some kind of time schedule when you have a update for this so I can somehow decide how to proceed?

Thanks a lot.

/edit: oops sorry, accidentally posted two times
Back to top
nightmare11at



Joined: 09 Apr 2014
Posts: 1

PostPosted: Wed 09 Apr '14 12:03    Post subject: Reply with quote

Ok, i am running apache 2.4.6 on a Windows Server 2008 R2 (x64). I patched the Vulnerabilty by just replacing the 3 files:
libeay32.dll
ssleay32.dll
openssl.exe
in the \Apache\bin\ directory

You can download the the new files here:
http://www.apachelounge.com/download/

Then i created a new key and asked my certificate provider to reissue the certificate.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2580
Location: Hilversum, NL, EU

PostPosted: Wed 09 Apr '14 14:10    Post subject: Reply with quote

All 2.2.27 and 2.49 flavors are now updated, Win32 and Win64 build with VC9, VC10 and VC11.

Hope that all of you update as soon as possible.


Steffen
Back to top
somnang



Joined: 08 Apr 2011
Posts: 61

PostPosted: Wed 09 Apr '14 14:15    Post subject: Reply with quote

Thank you Steffen
Back to top
sratrerier



Joined: 19 Mar 2009
Posts: 4

PostPosted: Wed 09 Apr '14 14:44    Post subject: Reply with quote

Thank you, and I just donated using the button on the left to help keep this server online. Your volunteer efforts are very generous.
Back to top
somnang



Joined: 08 Apr 2011
Posts: 61

PostPosted: Wed 09 Apr '14 15:20    Post subject: Reply with quote

Based on CVE-2014-0160, 1.0.1g is a temporary fix. 1.0.2 will contain permanent fix?
Back to top
ted.byers



Joined: 03 Jan 2013
Posts: 19

PostPosted: Wed 09 Apr '14 17:21    Post subject: Reply with quote

nightmare11at wrote:
Ok, i am running apache 2.4.6 on a Windows Server 2008 R2 (x64). I patched the Vulnerabilty by just replacing the 3 files:
libeay32.dll
ssleay32.dll
openssl.exe
in the \Apache\bin\ directory

You can download the the new files here:
http://www.apachelounge.com/download/

Then i created a new key and asked my certificate provider to reissue the certificate.

I tried that on two machines. On the first, it seems to work. On the other, it appears not to have worked. Both are version 2.4.3. Is it a mistake to have tried this on 2.4.3 when the current release is 2.4.9? If so, can I upgrade to 2.4.9 by stopping/uninstalling Apache, copying the binary directory of the full 64 bit build that has the patch to the binary directory of the current install, and then reinstalling and restarting it (hmmmmm, that sounds like a FAQ: how to update an existing installation to the latest minor release -- where is the FAQ -- I guess I'll google a FAQ for upgrading Apache 2.4 on Windows)?

Thanks

Ted
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 549

PostPosted: Wed 09 Apr '14 17:31    Post subject: Reply with quote

Stop apache and/or apachemonitor

Copy all files over, except (config) files you changed

Start apache
Back to top
ted.byers



Joined: 03 Jan 2013
Posts: 19

PostPosted: Wed 09 Apr '14 17:50    Post subject: Reply with quote

admin wrote:
Stop apache and/or apachemonitor

Copy all files over, except (config) files you changed

Start apache


Thanks for this.

I checked http://wiki.apache.org/httpd/FAQ, and it says nothing about upgrade procedures. Neither does http://httpd.apache.org/docs/current/.

But, I take it all directories other than conf and htdocs need to be copied.

Thanks.

Ted
Back to top


Post new topic   Reply to topic    Apache Forum Index -> News & Hangout Goto page 1, 2  Next
Page 1 of 2