I was just updating PR 63212 and could not point the user at a top-level,
definitive statement that they were trying to accomplish something very
unwise and which they should have known better. Apparently there are few
sources of this information. From http://httpd.apache.org/ ...

Apache httpd 2.4.38 Released 2019-01-22

The Apache Software Foundation and the Apache HTTP Server Project are
pleased to announce <http://www.apache.org/dist/httpd/Announcement2.4.html> the
release of version 2.4.38 of the Apache HTTP Server ("httpd").

This latest release from the 2.4.x stable branch represents the best
available version of Apache HTTP Server.

This seems to be somewhat unhelpful from a top-level knowledge point of
view, it doesn't indicate that they should choose 2.4.38 over 2.4.37 for
any particular reason, or that they would *need* to choose 2.4.38 if they
wished to have a server running against OpenSSL 1.1.1 and later.

Is there a way to improve communication of "do not use" guidance, outside
of information at http://httpd.apache.org/security/vulnerabilities_24.html
nested two-clicks deep?

I do not see such guidance at http://www.apache.org/dist/httpd/ either, the
Announcement does not suggest anything. Also finding the offending 2.4.37
release still available for download (surely just an oversight.)

Note PR 63212 may be entirely specific to AIX, and may be a side effect of
build schema changes of OpenSSL 1.1.1 itself. Sorry I no longer have the
hardware to explore such issues.

Reply via email to