[ANNOUNCE] mod_ssl 2.8.11-1.3.27

As you've hopefully recognized, the ASF released Apache 1.3.27, which
includes important security fixes. The corresponding mod_ssl 2.8.11 for
this version is now available, too.

Fetch it from:

http://www.modssl.org/source/
ftp://ftp.modssl.org/source/
Ralf S. Engelschall
rse@engelschall.com
www.engelschall.com

Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002)

*) Upgraded to Apache 1.3.27.

*) Fixed internal error handling for CRL verification.

*) Initialize OpenSSL ENGINE before initializing OpenSSL
to workaround problems with the PRNG.

*) Also find "openssl" executable in "sbin" directories.

*) Honor specified number of maximum bytes on SSLRandomSeed
if reading from EGD.

*) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

AW: [ANNOUNCE] mod_ssl 2.8.11-1.3.27

this new release has AFAIK nothing to do with the openssl-vulns.

It is a release for the today released apache-1.3.27 which fixes 3 vulns in
the apache itself.

If you want to fix the vulns in SSL you have to upgrade or patch your
openssl-package.

Andreas

----
e-admin internet gmbh
andreas gietl
ludwig-thoma-strasse 35
93051 Regensburg


-----Ursprüngliche Nachricht-----
Von: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org]Im Auftrag von Jeff Bert
Gesendet: Freitag, 4. Oktober 2002 18:56
An: modssl-users@modssl.org
Betreff: Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27


Thanks Ralf for keeping up on this. I run apache/mod_ssl server as a hobby
for friends' websites and have been actually having quite a number of people
trying the ssl hack on my server.

Jeff

> As you've hopefully recognized, the ASF released Apache 1.3.27, which
> includes important security fixes. The corresponding mod_ssl 2.8.11 for
> this version is now available, too.
>
> Fetch it from:
>
> http://www.modssl.org/source/
> ftp://ftp.modssl.org/source/
> Ralf S. Engelschall
> rse@engelschall.com
> www.engelschall.com
>
> Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002)
>
> *) Upgraded to Apache 1.3.27.
>
> *) Fixed internal error handling for CRL verification.
>
> *) Initialize OpenSSL ENGINE before initializing OpenSSL
> to workaround problems with the PRNG.
>
> *) Also find "openssl" executable in "sbin" directories.
>
> *) Honor specified number of maximum bytes on SSLRandomSeed
> if reading from EGD.
>
> *) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables.
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27

Thanks Ralf for keeping up on this. I run apache/mod_ssl server as a hobby
for friends' websites and have been actually having quite a number of people
trying the ssl hack on my server.

Jeff

> As you've hopefully recognized, the ASF released Apache 1.3.27, which
> includes important security fixes. The corresponding mod_ssl 2.8.11 for
> this version is now available, too.
>
> Fetch it from:
>
> http://www.modssl.org/source/
> ftp://ftp.modssl.org/source/
> Ralf S. Engelschall
> rse@engelschall.com
> www.engelschall.com
>
> Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002)
>
> *) Upgraded to Apache 1.3.27.
>
> *) Fixed internal error handling for CRL verification.
>
> *) Initialize OpenSSL ENGINE before initializing OpenSSL
> to workaround problems with the PRNG.
>
> *) Also find "openssl" executable in "sbin" directories.
>
> *) Honor specified number of maximum bytes on SSLRandomSeed
> if reading from EGD.
>
> *) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables.
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

AW: [ANNOUNCE] mod_ssl 2.8.11-1.3.27

ok,

i just wanted to say that to prevent any confusions you may have been a
victim off. Your post read like it.

andreas


> well, I already upgraded to openssl- > 0.9.6g back with apache-1.3.26 and
> modssl 2.8.10

> Jeff

> this new release has AFAIK nothing to do with the openssl-vulns.
>
> It is a release for the today released apache-1.3.27 which fixes 3 vulns
in
> the apache itself.
>
> If you want to fix the vulns in SSL you have to upgrade or patch your
> openssl-package.
>
> Andreas
>
> ----
> e-admin internet gmbh
> andreas gietl
> ludwig-thoma-strasse 35
> 93051 Regensburg
>
>
> -----Ursprüngliche Nachricht-----
> Von: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org]Im Auftrag von Jeff Bert
> Gesendet: Freitag, 4. Oktober 2002 18:56
> An: modssl-users@modssl.org
> Betreff: Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27
>
>
> Thanks Ralf for keeping up on this. I run apache/mod_ssl server as a
hobby
> for friends' websites and have been actually having quite a number of
people
> trying the ssl hack on my server.
>
> Jeff
>
> > As you've hopefully recognized, the ASF released Apache 1.3.27, which
> > includes important security fixes. The corresponding mod_ssl 2.8.11 for
> > this version is now available, too.
> >
> > Fetch it from:
> >
> > http://www.modssl.org/source/
> > ftp://ftp.modssl.org/source/
> > Ralf S. Engelschall
> > rse@engelschall.com
> > www.engelschall.com
> >
> > Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002)
> >
> > *) Upgraded to Apache 1.3.27.
> >
> > *) Fixed internal error handling for CRL verification.
> >
> > *) Initialize OpenSSL ENGINE before initializing OpenSSL
> > to workaround problems with the PRNG.
> >
> > *) Also find "openssl" executable in "sbin" directories.
> >
> > *) Honor specified number of maximum bytes on SSLRandomSeed
> > if reading from EGD.
> >
> > *) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables.
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27

well, I already upgraded to openssl-0.9.6g back with apache-1.3.26 and
modssl 2.8.10

Jeff

> this new release has AFAIK nothing to do with the openssl-vulns.
>
> It is a release for the today released apache-1.3.27 which fixes 3 vulns
in
> the apache itself.
>
> If you want to fix the vulns in SSL you have to upgrade or patch your
> openssl-package.
>
> Andreas
>
> ----
> e-admin internet gmbh
> andreas gietl
> ludwig-thoma-strasse 35
> 93051 Regensburg
>
>
> -----Ursprüngliche Nachricht-----
> Von: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org]Im Auftrag von Jeff Bert
> Gesendet: Freitag, 4. Oktober 2002 18:56
> An: modssl-users@modssl.org
> Betreff: Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27
>
>
> Thanks Ralf for keeping up on this. I run apache/mod_ssl server as a
hobby
> for friends' websites and have been actually having quite a number of
people
> trying the ssl hack on my server.
>
> Jeff
>
> > As you've hopefully recognized, the ASF released Apache 1.3.27, which
> > includes important security fixes. The corresponding mod_ssl 2.8.11 for
> > this version is now available, too.
> >
> > Fetch it from:
> >
> > http://www.modssl.org/source/
> > ftp://ftp.modssl.org/source/
> > Ralf S. Engelschall
> > rse@engelschall.com
> > www.engelschall.com
> >
> > Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002)
> >
> > *) Upgraded to Apache 1.3.27.
> >
> > *) Fixed internal error handling for CRL verification.
> >
> > *) Initialize OpenSSL ENGINE before initializing OpenSSL
> > to workaround problems with the PRNG.
> >
> > *) Also find "openssl" executable in "sbin" directories.
> >
> > *) Honor specified number of maximum bytes on SSLRandomSeed
> > if reading from EGD.
> >
> > *) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables.
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27

Thanks Andreas, I appreciate the thought.

Jeff


> ok,
>
> i just wanted to say that to prevent any confusions you may have been a
> victim off. Your post read like it.
>
> andreas
>
>
> > well, I already upgraded to openssl- > 0.9.6g back with apache-1.3.26
and
> > modssl 2.8.10
>
> > Jeff
>
> > this new release has AFAIK nothing to do with the openssl-vulns.
> >
> > It is a release for the today released apache-1.3.27 which fixes 3 vulns
> in
> > the apache itself.
> >
> > If you want to fix the vulns in SSL you have to upgrade or patch your
> > openssl-package.
> >
> > Andreas
> >
> > ----
> > e-admin internet gmbh
> > andreas gietl
> > ludwig-thoma-strasse 35
> > 93051 Regensburg
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: owner-modssl-users@modssl.org
> > [mailto:owner-modssl-users@modssl.org]Im Auftrag von Jeff Bert
> > Gesendet: Freitag, 4. Oktober 2002 18:56
> > An: modssl-users@modssl.org
> > Betreff: Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27
> >
> >
> > Thanks Ralf for keeping up on this. I run apache/mod_ssl server as a
> hobby
> > for friends' websites and have been actually having quite a number of
> people
> > trying the ssl hack on my server.
> >
> > Jeff
> >
> > > As you've hopefully recognized, the ASF released Apache 1.3.27, which
> > > includes important security fixes. The corresponding mod_ssl 2.8.11
for
> > > this version is now available, too.
> > >
> > > Fetch it from:
> > >
> > > http://www.modssl.org/source/
> > > ftp://ftp.modssl.org/source/
> > > Ralf S. Engelschall
> > > rse@engelschall.com
> > > www.engelschall.com
> > >
> > > Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002)
> > >
> > > *) Upgraded to Apache 1.3.27.
> > >
> > > *) Fixed internal error handling for CRL verification.
> > >
> > > *) Initialize OpenSSL ENGINE before initializing OpenSSL
> > > to workaround problems with the PRNG.
> > >
> > > *) Also find "openssl" executable in "sbin" directories.
> > >
> > > *) Honor specified number of maximum bytes on SSLRandomSeed
> > > if reading from EGD.
> > >
> > > *) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables.
> > > ____________________________________________________________ __________
> > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > > User Support Mailing List modssl-users@modssl.org
> > > Automated List Manager majordomo@modssl.org
> > >
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org