Hi, While the latest build was 2.2.22 for the 2.2.x version, some vulnerabilities were found in OpenSSL version 0.9.8t which was existing in the official “Win32 Binary including OpenSSL 0.9.8t (MSI Installer)” bundle. I have waited the new version which is 2.2.23 but it still have not included the latest OpenSSL version in its SSL bundle. I am a security guy, not the application server staff. I want my application server staff to aplly the patch to upgrade OpenSSL verion to 0.9.8v which eliminates 3 OpenSSL vulnerabilities. Thus, I have the following questions: 1. Why have not Apache included the latest OpenSSL version in the newly released 2.2.23 version? I have read somewhere that the latest OpenSSL version is included while releasing new version. 2. Is tehre an official bundle for 2.2.23 including OpenSSL 0.9.8v. 3. Is there a patch for apache httpd to upgrade only its OpenSSL module (currently we have the 2.2.22 version on Windows server). The patch may be applied for 2.2.22 or 2.2.23 PS: Related OpenSSL vulnerabilities are as following: · http://www.openssl.org/news/secadv_20120312.txt · http://www.openssl.org/news/secadv_20120419.txt · http://www.openssl.org/news/secadv_20120510.txt Please help. Thanks & Regards, Gorkem |
|