Author |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Sun 16 Mar '14 21:45 Post subject: Apache 2.4.9 available :: Updated with OpenSSL 1.0.1g |
|
|
Apache 2.4.9 GA is now available here at the download pages.
8 April 2014: Updated OpenSSL to 1.0.1g from 1.0.1f (see below)
Notes VC11:
* Is build with Visual Studio update 4, advised is to use the Visual C++ Redistributable Update 4 at http://www.microsoft.com/en-us/download/details.aspx?id=30679 .
* VC11 versions do not run with XP and 2003, use the VC10 or VC9 version.
Changelog http://www.apachelounge.com/Changelog-2.4.html
Documentation: http://httpd.apache.org/docs/2.4/ attention there when you want to Upgrade to 2.4 from 2.2
When you have hangs, slow traffic and/or when having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:
AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off
Enjoy,
Steffen
Last edited by Steffen on Thu 05 Jun '14 20:22; edited 2 times in total |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Tue 08 Apr '14 11:34 Post subject: The Heartbleed Bug |
|
|
Updated the builds with 1.0.1g OpenSSL from 1.0.1f.
Be sure you not download a cached former one, empty your browser cache.
Check the ReadMe.txt in the .zip.
The update fixes the serious vulnerability The Heartbleed Bug.
More info at: www.apachelounge.com/viewtopic.php?p=27305
Steffen
Changes between 1.0.1f and 1.0.1g
*) A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server (The Heartbleed Bug).
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley for preparing the fix (CVE-2014-0160)
*) Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
[Yuval Yarom and Naomi Benger]
*) TLS pad extension: draft-agl-tls-padding-03
Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
TLS client Hello record length value would otherwise be > 255 and
less that 512 pad with a dummy extension containing zeroes so it
is at least 512 bytes long. [Adam Langley, Steve Henson]
Last edited by admin on Fri 11 Apr '14 12:00; edited 4 times in total |
|
Back to top |
|
Tina
Joined: 23 Jan 2014 Posts: 5
|
Posted: Tue 08 Apr '14 15:41 Post subject: |
|
|
When will VC10 32 BIT follow? I would urgently need this
Thanks a lot! |
|
Back to top |
|
lambacck
Joined: 18 Dec 2008 Posts: 3 Location: Burlington, Ontario, Canada
|
Posted: Tue 08 Apr '14 18:20 Post subject: |
|
|
Will only Apache 2.4 builds be updated? There was a post about 2.2.27 being the last build for Apache 2.2.
Thanks,
Chris |
|
Back to top |
|
sowen
Joined: 08 Apr 2014 Posts: 1
|
Posted: Tue 08 Apr '14 18:36 Post subject: |
|
|
Thanks very much Steffen for the quick fix to this problem. |
|
Back to top |
|
TPL
Joined: 25 Mar 2014 Posts: 24 Location: Germany, Hamburg
|
Posted: Tue 08 Apr '14 19:40 Post subject: |
|
|
Thanks a lot! Apache 2.4.9 VC11 with OpenSSL 1.0.1g works fine. |
|
Back to top |
|
sratrerier
Joined: 19 Mar 2009 Posts: 4
|
Posted: Wed 09 Apr '14 14:43 Post subject: |
|
|
Yes thank you. Apache 2.4.9 VC10 Windows 32 bit with OpenSSL 1.0.1g works fine too. |
|
Back to top |
|