Hi all, Any idea on this issue?
Related to this issue, when will a person volunteer for windows version of Apache httpd 2.2.23 (hoping this will include the latest OpenSSL 0.9.8x version) ? Still waiting for more than 3 months for windows version. Any "voluntary" help that will be published on official site will be very appreciated by many users. Regards, Gorkem >________________________________ > From: Gorkem Durgut <gorkem...@yahoo.com> >To: "users@httpd.apache.org" <users@httpd.apache.org> >Sent: Thursday, December 20, 2012 11:33 AM >Subject: Apache 2.2.x and CVE-2012-2333 > > >Hi, > > >I am questioning if Apache 2.2.22 with OpenSSL 0.9.8t is affected >by CVE-2012-2333 (OpenSSL Invalid TLS/DTLS Record Denial of Service >Vulnerability)? > > >You may find the details of the vulnerability >here: http://www.openssl.org/news/secadv_20120510.txt > > >Here, it says that "DTLS applications are affected in all versions of OpenSSL. >TLS is only affected in OpenSSL 1.0.1 andlater." > > >I do not have deeper knowledge about protocols but I think as follows: DTLS >means TLS for datagram packets so it means http does not use DTLS, right? On >the other hand, TLS is affected in OpenSSL 1.0.1 and later which means >0.9.8-related version is not affected, right? > > >Thus, can I imply that OpenSSL 0.9.8t version used with Apache httpd 2.2.22 is >not affected with this vulnerability? > > >Can anybody comment on this issue? Is Apache 2.2.22 with OpenSSL 0.9.8t >afected by CVE-2012-2333? > > > > >Thanks & Regards, >Gorkem > >