On Apr 11, 2014, at 14:38 , Jeff Trawick <[email protected]> wrote: > SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL 1.0.1a-f > are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug." > > No Apache HTTP Server fix is needed to resolve this; no Apache HTTP Server > configuration change besides disabling SSL/TLS completely can resolve this. > Instead, a patch to OpenSSL, a rebuild of OpenSSL with the TLS Heartbeat > extension disabled, or an upgrade of OpenSSL to 1.0.1g or later is required. > > If you obtain OpenSSL in binary form with or without Apache HTTP Server, > contact the supplier of the binary for resolution. If you build OpenSSL > yourself, refer to the OpenSSL project for further information, including the > advisory at http://www.openssl.org/news/secadv_20140407.txt .
mod_spdy comes bundled with a script that builds mod_ssl.so with a statically linked OpenSSL. Other people may have done the same, or even with a mod_ssl built statically into apache. For those, just updating OpenSSL may be insufficient to fix the heartbleed bug. rainer
