RE: [External] Re: Apache HTTP Server dependency on OpenSSL
Hi Team, We are facing security vulnerability with "faterxml jackson databind" dependency 2.13.3, 1.13.4, .. so on. Even if we used latest 2.14.0-rc2 version also did not resolve the "CVE-.." type vulnerabilities. Could you please help/suggest. -Original Message- From: Ruediger Pluem Sent: Wednesday, November 9, 2022 1:02 PM To: dev@httpd.apache.org Subject: [External] Re: Apache HTTP Server dependency on OpenSSL This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments. On 11/9/22 8:29 AM, Turritopsis Dohrnii Teo En Ming wrote: > Subject: Apache HTTP Server dependency on OpenSSL > > Good day from Singapore, > > I read that Apache HTTP Server depends on/requires OpenSSL 1.1.1 to operate a > TLS 1.3 web server. > > Can we use OpenSSL 3.0.7 instead of OpenSSL 1.1.1? Is it supported? 2.4.54 supports OpenSSL 3.0 Regards Rüdiger This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. __ www.accenture.com
Re: Apache HTTP Server dependency on OpenSSL
On Wed, 9 Nov 2022 at 18:32, Ruediger Pluem wrote: > > > On 11/9/22 8:29 AM, Turritopsis Dohrnii Teo En Ming wrote: > > Subject: Apache HTTP Server dependency on OpenSSL > > > > Good day from Singapore, > > > > I read that Apache HTTP Server depends on/requires OpenSSL 1.1.1 to > operate a TLS 1.3 web server. > > > > Can we use OpenSSL 3.0.7 instead of OpenSSL 1.1.1? Is it supported? > > 2.4.54 supports OpenSSL 3.0 > > Regards > > Rüdiger > > Noted with thanks. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore
Re: Apache HTTP Server dependency on OpenSSL
On 11/9/22 8:29 AM, Turritopsis Dohrnii Teo En Ming wrote: > Subject: Apache HTTP Server dependency on OpenSSL > > Good day from Singapore, > > I read that Apache HTTP Server depends on/requires OpenSSL 1.1.1 to operate a > TLS 1.3 web server. > > Can we use OpenSSL 3.0.7 instead of OpenSSL 1.1.1? Is it supported? 2.4.54 supports OpenSSL 3.0 Regards Rüdiger
Apache HTTP Server dependency on OpenSSL
Subject: Apache HTTP Server dependency on OpenSSL Good day from Singapore, I read that Apache HTTP Server depends on/requires OpenSSL 1.1.1 to operate a TLS 1.3 web server. Can we use OpenSSL 3.0.7 instead of OpenSSL 1.1.1? Is it supported? OpenSSL versions 3.0.0 through 3.0.6 have CVE-2022-3602 and CVE-2022-3786 security vulnerabilities, so we need to avoid these versions. Please advise. Thank you. Regards, Mr. Turritopsis Dohrnii Teo En Ming Targeted Individual in Singapore Blogs: https://tdtemcerts.blogspot.com https://tdtemcerts.wordpress.com
Re: svn commit: r1905170 - /httpd/httpd/trunk/modules/dav/main/mod_dav.c
On 11/9/22 2:12 AM, m...@apache.org wrote:
> Author: manu
> Date: Wed Nov 9 01:12:26 2022
> New Revision: 1905170
>
> URL: http://svn.apache.org/viewvc?rev=1905170=rev
> Log:
> Turn DavLockDiscovery into a flag
>
> As requested on dev@httpd.apache.org, turn DavLockDiscovery into a Flag.
> Expressions can still be used by enclosing the directive by
> ...
>
>
> Modified:
> httpd/httpd/trunk/modules/dav/main/mod_dav.c
>
> Modified: httpd/httpd/trunk/modules/dav/main/mod_dav.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/mod_dav.c?rev=1905170=1905169=1905170=diff
> ==
> --- httpd/httpd/trunk/modules/dav/main/mod_dav.c (original)
> +++ httpd/httpd/trunk/modules/dav/main/mod_dav.c Wed Nov 9 01:12:26 2022
> @@ -83,7 +83,7 @@ typedef struct {
> const char *dir;
> int locktimeout;
> int allow_depthinfinity;
> -ap_expr_info_t *allow_lockdiscovery;
> +int allow_lockdiscovery;
>
> } dav_dir_conf;
>
> @@ -160,6 +160,8 @@ static void *dav_create_dir_config(apr_p
>
> conf = (dav_dir_conf *)apr_pcalloc(p, sizeof(*conf));
>
> +conf->allow_lockdiscovery = DAV_ENABLED_ON;
> +
Better do not set it here, but leave it to 0 aka DAV_ENABLED_UNSET.
This makes it possible to use DAV_INHERIT_VALUE in dav_merge_dir_config
The corresponding code for dav_merge_dir_config is missing in this this patch.
> /* clean up the directory to remove any trailing slash */
> if (dir != NULL) {
> char *d;
Otherwise good first commit. Thanks for taking care.
Would you provide some documentation for the new directive in
docs/manual/mod/mod_dav.xml to make it perfect?
Have a look here how to update the html after you adjusted the xml file:
https://httpd.apache.org/docs-project/docsformat.html
Typically the change to the xml file and the updated html files are committed
separately e.g. look at
http://svn.apache.org/viewvc?rev=1904805=rev
http://svn.apache.org/viewvc?rev=1904806=rev
Regards
Rüdiger
Re: New committer: Emmanuel Dreyfus
On Tue, Nov 08, 2022 at 01:05:28PM +0100, Yann Ylavic wrote: > Welcome Emmanuel, glad to have you on the team! Thank you everybody for the grretings. I made my first commit in r1905170, I hope it is fine. -- Emmanuel Dreyfus m...@netbsd.org
Re: New committer: Emmanuel Dreyfus
On 11/8/22 11:14, Joe Orton wrote: The Project Management Committee (PMC) for the Apache HTTP Server has invited Emmanuel Dreyfus to become a committer and we are pleased to announce that they have accepted. Welcome, Emmanuel! Welcome Emmanuel, glad to see you here. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: New committer: Emmanuel Dreyfus
Welcome Emmanuel ! Cheers, Apachelounge community https://www.apachelounge.com/
Re: New committer: Emmanuel Dreyfus
Welcome Emmanuel, glad to have you on the team! On Tue, Nov 8, 2022 at 11:15 AM Joe Orton wrote: > > The Project Management Committee (PMC) for the Apache HTTP Server has > invited Emmanuel Dreyfus to become a committer and we are pleased to > announce that they have accepted. > > Welcome, Emmanuel! > > Regards, Joe >
Re: New committer: Emmanuel Dreyfus
Welcome here, Emmanuel! > Am 08.11.2022 um 11:14 schrieb Joe Orton : > > The Project Management Committee (PMC) for the Apache HTTP Server has > invited Emmanuel Dreyfus to become a committer and we are pleased to > announce that they have accepted. > > Welcome, Emmanuel! > > Regards, Joe >
New committer: Emmanuel Dreyfus
The Project Management Committee (PMC) for the Apache HTTP Server has invited Emmanuel Dreyfus to become a committer and we are pleased to announce that they have accepted. Welcome, Emmanuel! Regards, Joe
