You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Görkem Durğüt <gd...@bkm.com.tr> on 2012/09/21 09:28:31 UTC
[users@httpd] OpenSSL version in Apache 2.2.23
Hi,
While the latest build was 2.2.22 for the 2.2.x version, some vulnerabilities were found in OpenSSL version 0.9.8t which was existing in the official "Win32 Binary including OpenSSL 0.9.8t (MSI Installer)" bundle. I have waited the new version which is 2.2.23 but it still have not included the latest OpenSSL version in its SSL bundle.
I am a security guy, not the application server staff. I want my application server staff to aplly the patch to upgrade OpenSSL verion to 0.9.8v which eliminates 3 OpenSSL vulnerabilities. Thus, I have the following questions:
1. Why have not Apache included the latest OpenSSL version in the newly released 2.2.23 version? I have read somewhere that the latest OpenSSL version is included while releasing new version.
2. Is tehre an official bundle for 2.2.23 including OpenSSL 0.9.8v.
3. Is there a patch for apache httpd to upgrade only its OpenSSL module (currently we have the 2.2.22 version on Windows server). The patch may be applied for 2.2.22 or 2.2.23
PS: Related OpenSSL vulnerabilities are as following:
· http://www.openssl.org/news/secadv_20120312.txt
· http://www.openssl.org/news/secadv_20120419.txt
· http://www.openssl.org/news/secadv_20120510.txt
Please help.
Thanks & Regards,
Gorkem
Re: [users@httpd] OpenSSL version in Apache 2.2.23
Posted by Eric Covener <co...@gmail.com>.
On Fri, Sep 28, 2012 at 12:51 PM, Andy Wang <aw...@ptc.com> wrote:
> On 09/27/2012 05:47 AM, Eric Covener wrote:
>>
>> On Thu, Sep 27, 2012 at 4:05 AM, Görkem Durğüt <gd...@bkm.com.tr> wrote:
>>>
>>> Hi,
>>>
>>> I was talking about the "binary" files for Windows published in
>>> Apahce.Org website. You can check the files in the link below. I have seen
>>> the 2.2.23 binary installation files fow Windows in this page including the
>>> OpenSSL-0.9.8t as I have stated in previous e-mail. It is interesting that I
>>> cannot see this binary package anymore. You may see other similar files, eg.
>>> for 2.0.64 version.
>>>
>>> http://httpd.apache.org/download.cgi
>>
>> Me too.
>>
> I also noticed that the windows formatted zip is no longer listed (previous
> link was for 2.2.23 bundle was dead).
> Is there a change in policy to no longer provide the windows
> source/binaries?
These supplemental packages haven't been contributed yet.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OpenSSL version in Apache 2.2.23
Posted by Andy Wang <aw...@ptc.com>.
On 09/27/2012 05:47 AM, Eric Covener wrote:
> On Thu, Sep 27, 2012 at 4:05 AM, Görkem Durğüt <gd...@bkm.com.tr> wrote:
>> Hi,
>>
>> I was talking about the "binary" files for Windows published in Apahce.Org website. You can check the files in the link below. I have seen the 2.2.23 binary installation files fow Windows in this page including the OpenSSL-0.9.8t as I have stated in previous e-mail. It is interesting that I cannot see this binary package anymore. You may see other similar files, eg. for 2.0.64 version.
>>
>> http://httpd.apache.org/download.cgi
> Me too.
>
I also noticed that the windows formatted zip is no longer listed
(previous link was for 2.2.23 bundle was dead).
Is there a change in policy to no longer provide the windows
source/binaries?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OpenSSL version in Apache 2.2.23
Posted by Eric Covener <co...@gmail.com>.
On Thu, Sep 27, 2012 at 4:05 AM, Görkem Durğüt <gd...@bkm.com.tr> wrote:
> Hi,
>
> I was talking about the "binary" files for Windows published in Apahce.Org website. You can check the files in the link below. I have seen the 2.2.23 binary installation files fow Windows in this page including the OpenSSL-0.9.8t as I have stated in previous e-mail. It is interesting that I cannot see this binary package anymore. You may see other similar files, eg. for 2.0.64 version.
>
> http://httpd.apache.org/download.cgi
Me too.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] OpenSSL version in Apache 2.2.23
Posted by Görkem Durğüt <gd...@bkm.com.tr>.
Hi,
I was talking about the "binary" files for Windows published in Apahce.Org website. You can check the files in the link below. I have seen the 2.2.23 binary installation files fow Windows in this page including the OpenSSL-0.9.8t as I have stated in previous e-mail. It is interesting that I cannot see this binary package anymore. You may see other similar files, eg. for 2.0.64 version.
http://httpd.apache.org/download.cgi
Regards,
Gorkem
-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Friday, September 21, 2012 4:48 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] OpenSSL version in Apache 2.2.23
On Fri, Sep 21, 2012 at 9:35 AM, Görkem Durğüt <gd...@bkm.com.tr> wrote:
> Actually, I was talking about the official release existing in Apache Http Server Project (Win32 Binary including OpenSSL 0.9.8t (MSI Installer): httpd-2.2.23-win32-x86-openssl-0.9.8t.msi).
>
> Current apache version is 2.2.22, and OpenSSL version is 0.9.8t. What I need is to upgrade OpenSSL to OpenSSL to 0.9.8v. Upgrading apache to 2.2.23 is optional. The problem is I cannot find an official installation package or patch in Apache Website. Although this OpenSSL version has vulnerabilities and a new build for Apache is released, latest version of OpenSSL have not been included.
>
> Server: Windows Server 2003 32-bit
> Apache: 2.2.22 including OpenSSL 0.9.8t
The official packages are source code, everything else is a contribution for convenience. Some third-party websites (e.g.
apachelounge) might have a build for you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OpenSSL version in Apache 2.2.23
Posted by Eric Covener <co...@gmail.com>.
On Fri, Sep 21, 2012 at 9:35 AM, Görkem Durğüt <gd...@bkm.com.tr> wrote:
> Actually, I was talking about the official release existing in Apache Http Server Project (Win32 Binary including OpenSSL 0.9.8t (MSI Installer): httpd-2.2.23-win32-x86-openssl-0.9.8t.msi).
>
> Current apache version is 2.2.22, and OpenSSL version is 0.9.8t. What I need is to upgrade OpenSSL to OpenSSL to 0.9.8v. Upgrading apache to 2.2.23 is optional. The problem is I cannot find an official installation package or patch in Apache Website. Although this OpenSSL version has vulnerabilities and a new build for Apache is released, latest version of OpenSSL have not been included.
>
> Server: Windows Server 2003 32-bit
> Apache: 2.2.22 including OpenSSL 0.9.8t
The official packages are source code, everything else is a
contribution for convenience. Some third-party websites (e.g.
apachelounge) might have a build for you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] OpenSSL version in Apache 2.2.23
Posted by Görkem Durğüt <gd...@bkm.com.tr>.
Actually, I was talking about the official release existing in Apache Http Server Project (Win32 Binary including OpenSSL 0.9.8t (MSI Installer): httpd-2.2.23-win32-x86-openssl-0.9.8t.msi).
Current apache version is 2.2.22, and OpenSSL version is 0.9.8t. What I need is to upgrade OpenSSL to OpenSSL to 0.9.8v. Upgrading apache to 2.2.23 is optional. The problem is I cannot find an official installation package or patch in Apache Website. Although this OpenSSL version has vulnerabilities and a new build for Apache is released, latest version of OpenSSL have not been included.
Server: Windows Server 2003 32-bit
Apache: 2.2.22 including OpenSSL 0.9.8t
Regards,
Gorkem
-----Original Message-----
From: Michael Felt [mailto:mamfelt@gmail.com]
Sent: Friday, September 21, 2012 4:24 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] OpenSSL version in Apache 2.2.23
I cannot speak for all packagers, but I do not bundle openssl in mine
- it uses whatever the hosting server has installed.
So, I think it would help to if you mentioned what platform you are using, and/whether you package/build for yourself.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] OpenSSL version in Apache 2.2.23
Posted by Michael Felt <ma...@gmail.com>.
I cannot speak for all packagers, but I do not bundle openssl in mine
- it uses whatever the hosting server has installed.
So, I think it would help to if you mentioned what platform you are
using, and/whether you package/build for yourself.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org