On Fri, Apr 11, 2014 at 10:18 AM, Jeff Trawick <traw...@gmail.com> wrote:
> On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan < > rainer.cana...@sevenval.com> wrote: > >> >> On Apr 11, 2014, at 14:38 , Jeff Trawick <traw...@gmail.com> wrote: >> >> > SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL >> 1.0.1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug." >> > >> > No Apache HTTP Server fix is needed to resolve this; no Apache HTTP >> Server configuration change besides disabling SSL/TLS completely can >> resolve this. Instead, a patch to OpenSSL, a rebuild of OpenSSL with the >> TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or >> later is required. >> > >> > If you obtain OpenSSL in binary form with or without Apache HTTP >> Server, contact the supplier of the binary for resolution. If you build >> OpenSSL yourself, refer to the OpenSSL project for further information, >> including the advisory at http://www.openssl.org/news/secadv_20140407.txt. >> >> mod_spdy comes bundled with a script that builds mod_ssl.so with a >> statically linked >> OpenSSL. Other people may have done the same, or even with a mod_ssl >> built statically >> into apache. For those, just updating OpenSSL may be insufficient to fix >> the heartbleed >> bug. >> >> rainer > > > > Hmmm... mod_ssl could be linked statically with OpenSSL, mod_spdy or not. > Yeah it is more complicated, but that makes it even more useful to explain. > > --/-- > > httpd and mod_ssl must be rebuilt with the new OpenSSL when OpenSSL is > statically linked with mod_ssl. Note: The build of mod_spdy may rebuild > mod_ssl in this manner. > > If you are using a commercial product based on Apache HTTP Server, consult > the vendor for information about the applicability of CVE-2014-0160 to > your server. If you are otherwise using mod_ssl or a replacement for it > from a third party, consult the third party for more information. If your > third-party module build rebuilds mod_ssl (e.g., mod_spdy), consult the > vendor for more information. > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ > http://edjective.org/ > > I'll leave it at this (plus any subsequent fixes): http://emptyhammock.blogspot.com/2014/04/apache-http-server-and-cve-2014-0160-so.html If anyone wants http://httpd.apache.org to have something similar, we can move/improve the text on my blog. -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/