Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: OpenSSL in Apache binary roadmap ! |
|
Author |
|
scott4455
Joined: 10 Feb 2020 Posts: 2
|
Posted: Mon 10 Feb '20 20:23 Post subject: OpenSSL in Apache binary roadmap ! |
|
|
We are getting a Medium level hit in our security scans due to OpenSSL being 1.1.1d rather than 1.1.1e-dev. We can mitigate with removing some of the cipher suites, but I could not find any information on how the mod_ssl.so module is slated to be updated.
We only have 1.1.1d due to scouring the forums here and finding a link where someone built one for another CVE, and I can't seem to find that post anymore either. Searches for openssl, mod_ssl.so, 1.1.1d, etc... seem to just turn up 2.2 to 2.4 upgrades, and PHP integrations.
I'm not advocating for a dev version of a module, but am curious how the process works. Any info in how these get into the pipeline, and where they could be found or requested, would be appreciated.
Many thanks! |
|
Back to top |
|
admin Site Admin
Joined: 15 Oct 2005 Posts: 692
|
Posted: Mon 10 Feb '20 22:37 Post subject: |
|
|
Policy is only released versions.
Dev versions can introduce new issues/vulnerabilities, is risky.
As soon the OpenSSL team releases a new version, and they classify fixes a severity levels critical and/or high, then we try to make a Apache binary available within days.
When your Medium level hit is a serious issue, then the OpenSSL Team gives it priority. |
|
Back to top |
|
scott4455
Joined: 10 Feb 2020 Posts: 2
|
Posted: Wed 19 Feb '20 20:18 Post subject: |
|
|
That's pretty much the reasoning we're giving the security teams at this point too.
Thank you for the info! |
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Thu 20 Feb '20 11:47 Post subject: |
|
|
Want to repeat it here:
Users are using a Third Party DLL for a latest OpenSSL.
Be warned to use third party DLL's, you must absolute sure it is not manipulated.
Mostly you are not sure wich Compiler linker is used MINGW (can give issues) or Visual Studio (when not the same VC version, can give issues).
So do not use in Production.
You are save when you download a Apache Binary from here with OpenSSL included en use PGP and/or the check-sums. |
|
Back to top |
|
Brian Gimbli
Joined: 11 Mar 2020 Posts: 4 Location: Houston
|
Posted: Mon 16 Mar '20 15:01 Post subject: |
|
|
Hey, guys!
I am new here. Glad to join the community |
|
Back to top |
|
|
|
|
|
|