SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug."
No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server configuration change besides disabling SSL/TLS completely can resolve this. Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required. If you obtain OpenSSL in binary form with or without Apache HTTP Server, contact the supplier of the binary for resolution. If you build OpenSSL yourself, refer to the OpenSSL project for further information, including the advisory at http://www.openssl.org/news/secadv_20140407.txt . XXXX Have binaries which included an affected level of OpenSSL ever been distributed from our site? I don't see anything from the release/httpd/binaries/win32 directory in the output of svn log -v | grep openssl . (Is that the right check?) -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
