[users@httpd] Apache 2.2.x and CVE-2012-2333

[Gorkem Durgut <go...@yahoo.com>]

Hi,

I am questioning if Apache 2.2.22 with OpenSSL 0.9.8t is affected by CVE-2012-2333 (OpenSSL Invalid TLS/DTLS Record Denial of Service Vulnerability)?

You may find the details of the vulnerability here: http://www.openssl.org/news/secadv_20120510.txt

Here, it says that "DTLS applications are affected in all versions of OpenSSL. TLS is only affected in OpenSSL 1.0.1 andlater."

I do not have deeper knowledge about protocols but I think as follows: DTLS means TLS for datagram packets so it means http does not use DTLS, right? On the other hand, TLS is affected in OpenSSL 1.0.1 and later which means 0.9.8-related version is not affected, right?

Thus, can I imply that OpenSSL 0.9.8t version used with Apache httpd 2.2.22 is not affected with this vulnerability?

Can anybody comment on this issue? Is Apache 2.2.22 with OpenSSL 0.9.8t afected by CVE-2012-2333?


Thanks & Regards,
Gorkem

Re: [users@httpd] Apache 2.2.x and CVE-2012-2333

[Eric Covener <co...@gmail.com>]

> I do not have deeper knowledge about protocols but I think as follows: DTLS
> means TLS for datagram packets so it means http does not use DTLS, right? On
> the other hand, TLS is affected in OpenSSL 1.0.1 and later which means
> 0.9.8-related version is not affected, right?
>
> Thus, can I imply that OpenSSL 0.9.8t version used with Apache httpd 2.2.22
> is not affected with this vulnerability?

That's how I interpret the CVE as well.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: Apache 2.2.x and CVE-2012-2333

[Gorkem Durgut <go...@yahoo.com>]

Hi all,

Any idea on this issue?

Related to this issue, when will a person volunteer for windows version of Apache httpd 2.2.23 (hoping this will include the latest OpenSSL 0.9.8x version) ? Still waiting for more than 3 months for windows version. Any "voluntary" help that will be published on official site will be very appreciated by many users.

Regards,
Gorkem



>________________________________
> From: Gorkem Durgut <go...@yahoo.com>
>To: "users@httpd.apache.org" <us...@httpd.apache.org> 
>Sent: Thursday, December 20, 2012 11:33 AM
>Subject: Apache 2.2.x and CVE-2012-2333
> 
>
>Hi,
>
>
>I am questioning if Apache 2.2.22 with OpenSSL 0.9.8t is affected by CVE-2012-2333 (OpenSSL Invalid TLS/DTLS Record Denial of Service Vulnerability)?
>
>
>You may find the details of the vulnerability here: http://www.openssl.org/news/secadv_20120510.txt
>
>
>Here, it says that "DTLS applications are affected in all versions of OpenSSL. TLS is only affected in OpenSSL 1.0.1 andlater."
>
>
>I do not have deeper knowledge about protocols but I think as follows: DTLS means TLS for datagram packets so it means http does not use DTLS, right? On the other hand, TLS is affected in OpenSSL 1.0.1 and later which means 0.9.8-related version is not affected, right?
>
>
>Thus, can I imply that OpenSSL 0.9.8t version used with Apache httpd 2.2.22 is not affected with this vulnerability?
>
>
>Can anybody comment on this issue? Is Apache 2.2.22 with OpenSSL 0.9.8t afected by CVE-2012-2333?
>
>
>
>
>Thanks & Regards,
>Gorkem
>
>