You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/02/09 10:40:31 UTC

DO NOT REPLY [Bug 50741] New: Detect when the OpenSSL runtime library is vulnerable to CVE-2011-0014

https://issues.apache.org/bugzilla/show_bug.cgi?id=50741

           Summary: Detect when the OpenSSL runtime library is vulnerable
                    to CVE-2011-0014
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: rob@comodo.com


http://www.openssl.org/news/secadv_20110208.txt reports that the following
OpenSSL versions are vulnerable:
  - OpenSSL 0.9.8h through 0.9.8q
  - OpenSSL 1.0.0 through 1.0.0c

I propose that mod_ssl should call SSLeay() when httpd starts up.  If a
vulnerable OpenSSL version is detected, a suitable warning should be logged. 
Hopefully this will prompt webmasters to upgrade OpenSSL to a patched version.

With regard to Bug 50740 (Enable OCSP Stapling by default), I suggest that OCSP
Stapling should not be enabled by default when a vulnerable OpenSSL version is
detected.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 50741] Detect when the OpenSSL runtime library is vulnerable to CVE-2011-0014

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=50741

--- Comment #1 from Ruediger Pluem <rp...@apache.org> 2011-02-09 04:51:58 EST ---
*** Bug 50742 has been marked as a duplicate of this bug. ***

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 50741] Detect when the OpenSSL runtime library is vulnerable to CVE-2011-0014

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=50741

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #2 from Joe Orton <jo...@redhat.com> 2011-02-11 08:28:02 EST ---
This is something we generally try to avoid.

1) Binary distributions of OpenSSL often include backported security fixes so
there is no simple mapping between version and vulnerability.

2) There are many more serious OpenSSL vulnerabilities which httpd installs
could be affected by in a default configuration; picking this one out would be
odd.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org