On Fri, Apr 11, 2014 at 8:38 AM, Jeff Trawick <[email protected]> wrote:
> SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f > are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug." > > No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server > configuration change besides disabling SSL/TLS completely can resolve this. > Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat > extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required. > "SSLv2 and SSLv3 are not vulnerable to CVE-2014-0160, but limiting the configuration to one or both of those protocols is not recommended for other reasons." > > If you obtain OpenSSL in binary form with or without Apache HTTP Server, > contact the supplier of the binary for resolution. If you build OpenSSL > yourself, refer to the OpenSSL project for further information, including > the advisory at http://www.openssl.org/news/secadv_20140407.txt . > > > XXXX > > Have binaries which included an affected level of OpenSSL ever been > distributed from our site? > > I don't see anything from the release/httpd/binaries/win32 directory in > the output of svn log -v | grep openssl . (Is that the right check?) > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ > http://edjective.org/ > > -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
