[users@httpd] Is httpd impacted by openssl asn1 CVE?

[Fred K <fr...@gmail.com>]

Hi

In this week's openssl security announcement were two moderate CVE related
to asn1.
- when/where does the Apache httpd server (e.g. 2.4.12) actually use asn1?
- does apache rely on openssl for asn1 and do we need to be concerned
about:
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
ASN.1 structure reuse memory corruption (CVE-2015-0287)

Thank you very much - Fred

Re: [users@httpd] Is httpd impacted by openssl asn1 CVE?

[Fred K <fr...@gmail.com>]

Hi,
I understand that. The questions are about understanding when does it
(openssl) asn1 matter if at all for Apache httpd.
Rgds - Fred



On Sat, Mar 21, 2015 at 4:51 PM, Robert Webb <rw...@ropeguru.com> wrote:

> All depends on what version of open ssl you are using. Not the version of
> apache.
>
> Sent by MailWise <http://www.mail-wise.com/installation/2> – See your
> emails as clean, short chats.
>
>
> -------- Original Message --------
> From: Fred K <fr...@gmail.com>
> Sent: Saturday, March 21, 2015 04:22 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Is httpd impacted by openssl asn1 CVE?
>
>

Re: [users@httpd] Is httpd impacted by openssl asn1 CVE?

[Robert Webb <rw...@ropeguru.com>]

All depends on what version of open ssl you are using. Not the version of apache. 

Sent by MailWise – See your emails as clean, short chats.

-------- Original Message --------
From: Fred K <fr...@gmail.com>
Sent: Saturday, March 21, 2015 04:22 PM
To: users@httpd.apache.org
Subject: [users@httpd] Is httpd impacted by openssl asn1 CVE?