Guys, A note about the impact of the potentially exploitable OpenSSL vulnerability CVE-2012-2110 on mod_ssl.
The OCSP part of Apache 2.4 mod_ssl makes use of the d2i_OCSP_RESPONSE_bio call which is affected. Since OCSP data relies on DNS it cannot be trusted and an attacker could inject malicious data by this route if OCSP or OCSP stapling is enabled. An alternative technique which would not rely on the OpenSSL upstream fix would be to use d2i_OCSP_RESPONSE instead. The mod_ssl code also makes use of the affected d2i_X509_bio and d2i_PrivateKey_bio calls but these load certificates and keys for server configuration and so the data should come from trusted sources. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
