Ok, so thanks Will. The issue was CVE-2010-3864 and you've shed some light on this.
-----Original Message----- From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net] Sent: Tuesday, March 15, 2011 4:47 AM To: users@httpd.apache.org Subject: Re: [users@httpd] upgrade mod_ssl on Apache On 3/11/2011 3:07 PM, Edwards, Denise wrote: > > I'm upgrading the Apache HTTP from 2.2.10 to latest version (2.2.17). We normally use the > openSSL that comes bundled with the Apache install package. The latest Apache comes > bundled with OpenSSL v0.9.8o and I need to upgrade it to v0.9.8p. How do you upgrade the > openssl on the installed Apache? I downloaded the OpenSSL v0.9.8p tar from openssl.org, > but not sure where to go from there as it's not the mod_ssl.so format. FWIW... 0.9.8o - CVE-2010-0742 - httpd shipped NO_CMS, no impact - CVE-2010-1633 - affected 1.0.0 only, no impact - CVE-2010-3864 - mod_ssl does not use openssl internal caching, no impact 0.9.8p - CVE-2010-4180 - MITM issue in renegotiation, potential impact - CVE-2010-4252 - httpd shipped NO_JPAKE, no impact 0.9.8q - CVE-2011-0014 - no oscp support in 2.2.17, no impact As you can see, there is one possible MITM vector in 0.9.8p that impacts httpd, so the assertion that one would need to upgrade from .8o to .8p and not pick up at least .8q is not only foolish but bordering on the inept, a truly counterproductive waste of effort. http://httpd.apache.org/docs/2.2/platform/win_compiling.html - Follow ONLY the [Optional] OpenSSL libraries (for mod_ssl and ab.exe with ssl support) step and move openssl.exe, libeay32.dll and ssleay32.dll into place, and you will be finished. But at least build a sensible version. When 2.2.18 ships, or a significant flaw is discovered, httpd will ship the then-current iteration of openssl. > CONFIDENTIALITY NOTICE: The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. Not anymore it isn't, due to your act of publishing an inquiry to a public list. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org CONFIDENTIALITY NOTICE: The information in this Internet email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
