logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Coming OpenSSL 1.0.2i ?

 
Post new topic   Reply to topic    Apache Forum Index -> News & Hangout



View previous topic :: View next topic  
Author Message
Mathan Karthik R



Joined: 02 May 2014
Posts: 4
Location: India

PostPosted: Wed 21 Sep '16 12:50    Post subject: Coming OpenSSL 1.0.2i ? Reply with quote

OpenSSL is planning to release latest versions - 1.1.0a, 1.0.2i, 1.0.1u on 22nd September, 2016 [Tomorrow].

It is specified that this version will fix several security bugs including one classified as "High" Severity.

Refer https://mta.openssl.org/pipermail/openssl-announce/2016-September/000076.html for more details.

Hope that apache lounge would include this latest version of OpenSSL and release a build.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 549

PostPosted: Wed 21 Sep '16 14:26    Post subject: Reply with quote

Yes, we always wait some time for testing and to see if no new/other issues are popping up.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 794
Location: Amsterdam, NL, EU

PostPosted: Wed 21 Sep '16 17:15    Post subject: Reply with quote

High severity is not as bad as it sounds. Most likely it will not be exploitable on most systems.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 794
Location: Amsterdam, NL, EU

PostPosted: Thu 22 Sep '16 13:34    Post subject: Reply with quote

https://www.openssl.org/news/vulnerabilities.html#y2016
Quote:
A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default configuration, instead only if an application explicitly enables OCSP stapling support.

On my development server both instances of Apache are upgraded: X86 VC9 & X64 VC11. SSLLabs verdict:
https://www.ssllabs.com/ssltest/analyze.html?d=fips.sessiondatabase.net
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 794
Location: Amsterdam, NL, EU

PostPosted: Mon 26 Sep '16 17:00    Post subject: Reply with quote

There is yet another update, to OpenSSL 1.0.2j:
https://www.openssl.org/news/secadv/20160926.txt
Back to top


Post new topic   Reply to topic    Apache Forum Index -> News & Hangout
Page 1 of 1