Re: Upgrading OpenSSL without upgrading Apache. Can it be done???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




On 4/24/2012 4:05 PM, BFinkeldei@xxxxxxxxxxxxxxx wrote:
> 
> Great thanks for the info!
> 
> Where can I find out when apache.org will be bundling the latest version of OpenSSL with
> apache?  PCI compliance calls for using level "u" as of today.

If you had read the notices from the OpenSSL project you would be aware
that the particular flaws in openssl 0.9.8 .u, .v and .w do not pertain
to the operation or deployment of httpd 2.2.x.  They do apply to the
operation of httpd 2.4, and adminstrators of 2.4 should upgrade ASAP.
(And if you were running 2.3-beta, upgrading httpd to 2.4 would be a very
wise move as well for httpd security flaws).

AFAIK only the windows binary 'bundles' openssl.  As that binary is not
affected it will not be updated, certainly not unless an httpd 2.2.23 is
released.

The ASF provides binaries only as a convenience and at our leisure; if
you are professionally responsible for an installation of httpd, openssl
and so forth which you refuse to compile yourself, you would probably
benefit from contracting for the services you are demanding.  The ASF
is here to collaboratively produce source code.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Photo]     [Yosemite Photos]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]


Add to Google Powered by Linux