On Fri, Apr 11, 2014 at 8:56 AM, Rainer M. Canavan < [email protected]> wrote:
> > On Apr 11, 2014, at 14:38 , Jeff Trawick <[email protected]> wrote: > > > SSL/TLS-enabled configurations of Apache HTTP Server with OpenSSL > 1.0.1a-f are vulnerable to CVE-2014-0160, the so called "Heartbleed Bug." > > > > No Apache HTTP Server fix is needed to resolve this; no Apache HTTP > Server configuration change besides disabling SSL/TLS completely can > resolve this. Instead, a patch to OpenSSL, a rebuild of OpenSSL with the > TLS Heartbeat extension disabled, or an upgrade of OpenSSL to 1.0.1g or > later is required. > > > > If you obtain OpenSSL in binary form with or without Apache HTTP Server, > contact the supplier of the binary for resolution. If you build OpenSSL > yourself, refer to the OpenSSL project for further information, including > the advisory at http://www.openssl.org/news/secadv_20140407.txt . > > mod_spdy comes bundled with a script that builds mod_ssl.so with a > statically linked > OpenSSL. Other people may have done the same, or even with a mod_ssl built > statically > into apache. For those, just updating OpenSSL may be insufficient to fix > the heartbleed > bug. > > rainer Hmmm... mod_ssl could be linked statically with OpenSSL, mod_spdy or not. Yeah it is more complicated, but that makes it even more useful to explain. --/-- httpd and mod_ssl must be rebuilt with the new OpenSSL when OpenSSL is statically linked with mod_ssl. Note: The build of mod_spdy may rebuild mod_ssl in this manner. If you are using a commercial product based on Apache HTTP Server, consult the vendor for information about the applicability of CVE-2014-0160 to your server. If you are otherwise using mod_ssl or a replacement for it from a third party, consult the third party for more information. If your third-party module build rebuilds mod_ssl (e.g., mod_spdy), consult the vendor for more information. -- Born in Roswell... married an alien... http://emptyhammock.com/ http://edjective.org/
