You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/02/09 10:40:31 UTC
DO NOT REPLY [Bug 50741] New: Detect when the OpenSSL runtime
library is vulnerable to CVE-2011-0014
https://issues.apache.org/bugzilla/show_bug.cgi?id=50741
Summary: Detect when the OpenSSL runtime library is vulnerable
to CVE-2011-0014
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: rob@comodo.com
http://www.openssl.org/news/secadv_20110208.txt reports that the following
OpenSSL versions are vulnerable:
- OpenSSL 0.9.8h through 0.9.8q
- OpenSSL 1.0.0 through 1.0.0c
I propose that mod_ssl should call SSLeay() when httpd starts up. If a
vulnerable OpenSSL version is detected, a suitable warning should be logged.
Hopefully this will prompt webmasters to upgrade OpenSSL to a patched version.
With regard to Bug 50740 (Enable OCSP Stapling by default), I suggest that OCSP
Stapling should not be enabled by default when a vulnerable OpenSSL version is
detected.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50741] Detect when the OpenSSL runtime library is
vulnerable to CVE-2011-0014
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50741
--- Comment #1 from Ruediger Pluem <rp...@apache.org> 2011-02-09 04:51:58 EST ---
*** Bug 50742 has been marked as a duplicate of this bug. ***
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50741] Detect when the OpenSSL runtime library is
vulnerable to CVE-2011-0014
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50741
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
--- Comment #2 from Joe Orton <jo...@redhat.com> 2011-02-11 08:28:02 EST ---
This is something we generally try to avoid.
1) Binary distributions of OpenSSL often include backported security fixes so
there is no simple mapping between version and vulnerability.
2) There are many more serious OpenSSL vulnerabilities which httpd installs
could be affected by in a default configuration; picking this one out would be
odd.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org