Where can I find out when apache.org
will be bundling the latest version of OpenSSL with apache? PCI compliance
calls for using level "u" as of today.
Brad Finkeldei
"William A. Rowe Jr."
<wrowe@xxxxxxxxxxxxx>
04/24/2012 03:49 PM
Please respond to
users@xxxxxxxxxxxxxxxx
To
users@xxxxxxxxxxxxxxxx
cc
Subject
Re: Upgrading OpenSSL
without upgrading Apache. Can it be done???
On 4/24/2012 3:09 PM, TFML wrote:
> I'm assuming you're using some sort of Windows operating system. I
haven't done one in a
> few years, but I would assume the 1.0 version
> from http://slproweb.com/products/Win32OpenSSL.html should work like
installing any other
> Windows Installer. If someone else can't answer this, I'd suggest
setting up a virtual
> environment and giving it a try before doing it on a production system.
Just as on unix, you can never drop in a x.y.n change with a new x value.
That's called a major bump and usually does not work.
OP could obtain a 0.9.8X flavor later than 0.9.8t and aught to be fine
so long
as no special build options were changed, and it was built to run against
msvcrt.dll (the *system* c library). It's the same quandry as on
Ubuntu with
glibc vs eglibc packages.
If OP reviewed the patch release notes, they would be aware that an upgrade
is unnecessary between 0.9.8t and 0.9.8w for anyone running httpd 2.2.
The
new features in httpd 2.4 were vulnerable to issues there, however.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx