Author |
|
carman
Joined: 09 May 2023 Posts: 2 Location: HK
|
Posted: Tue 09 May '23 9:50 Post subject: Apache with OpenSSL 3.0.8 < 3.0.9 Multiple Vulnerabilitie |
|
|
I would like to know is there any plan to release a new build of Apache with OpenSSL > 3.0.8 version as this finding shows after performed SRAA. Checked that OpenSSL has released 3.1.0.
The version of OpenSSL installed on the remote host is prior to 3.0.9. It is, therefore, affected by multiple vulnerabilities as referenced in the 3.0.9 advisory.
- A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. (CVE-2023-0464)
Thanks. |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3093 Location: Hilversum, NL, EU
|
Posted: Tue 09 May '23 10:11 Post subject: |
|
|
There is no 3.0.9 yet. When it is released by OpenSSL we build httpd with it.
See the note in the Advisory https://www.openssl.org/news/secadv/20230322.txt :
Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be
included in the next releases when they become available. |
|
Back to top |
|
carman
Joined: 09 May 2023 Posts: 2 Location: HK
|
Posted: Tue 09 May '23 10:21 Post subject: |
|
|
Noted with thanks! |
|
Back to top |
|
lucasduzo
Joined: 15 May 2023 Posts: 1 Location: Brazil
|
Posted: Mon 15 May '23 20:52 Post subject: |
|
|
Hello team;
Did you find version 2.4.57 with OpenSSL 3.0.8 for binary download for windows?
Or does it not exist yet?
Or is there any way to update manually? |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 688
|
Posted: Mon 15 May '23 21:12 Post subject: |
|
|
It is updated to 3.1.0 |
|
Back to top |
|
jjaimez
Joined: 15 Mar 2022 Posts: 4 Location: USA, Memphis
|
Posted: Thu 25 May '23 15:16 Post subject: info on version 3.1.1 |
|
|
Will there be plans to upgrade to OpenSSL version 3.1.1 soon? There are several CVEs listed that require this action:
CVE-2023-0464
CVE-2023-0465
CVE-2023-0466
Thank you for any info you can provide. |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 688
|
Posted: Thu 25 May '23 15:21 Post subject: |
|
|
Not released yet by OpenSSL.org
No critical and high severity. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1264 Location: Amsterdam, NL, EU
|
Posted: Mon 29 May '23 18:25 Post subject: |
|
|
3.1.1, 3.0.9 and 1.1.1u will be released tomorrow. BTW: curl will have a release 8.1.2 tomorrow as well. |
|
Back to top |
|