Re: Apache 2.2.x and CVE-2012-2333

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

Any idea on this issue?

Related to this issue, when will a person volunteer for windows version of Apache httpd 2.2.23 (hoping this will include the latest OpenSSL 0.9.8x version) ? Still waiting for more than 3 months for windows version. Any "voluntary" help that will be published on official site will be very appreciated by many users.

Regards,
Gorkem

From: Gorkem Durgut <gorkemdur@xxxxxxxxx>
To: "users@xxxxxxxxxxxxxxxx" <users@xxxxxxxxxxxxxxxx>
Sent: Thursday, December 20, 2012 11:33 AM
Subject: Apache 2.2.x and CVE-2012-2333

Hi,

I am questioning if Apache 2.2.22 with OpenSSL 0.9.8t is affected by CVE-2012-2333 (OpenSSL Invalid TLS/DTLS Record Denial of Service Vulnerability)?

You may find the details of the vulnerability here: http://www.openssl.org/news/secadv_20120510.txt

Here, it says that "DTLS applications are affected in all versions of OpenSSL. TLS is only affected in OpenSSL 1.0.1 and later."

I do not have deeper knowledge about protocols but I think as follows: DTLS means TLS for datagram packets so it means http does not use DTLS, right? On the other hand, TLS is affected in OpenSSL 1.0.1 and later which means 0.9.8-related version is not affected, right?

Thus, can I imply that OpenSSL 0.9.8t version used with Apache httpd 2.2.22 is not affected with this vulnerability?

Can anybody comment on this issue? Is Apache 2.2.22 with OpenSSL 0.9.8t afected by CVE-2012-2333?


Thanks & Regards,
Gorkem


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux