apache 2.2.13 SSL renegotiation vulnerability

apache 2.2.13 SSL renegotiation vulnerability

am 25.11.2009 22:56:25 von David Taveras

Hello,

Ive seen that 2.2.14 comes with a patch for the recent SSL
renegotiation vulnerability. Could anybody tell me if there is a patch
available for apache 2.2.13 .. iam not ready to update yet.

Thank you.

David

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: apache 2.2.13 SSL renegotiation vulnerability

am 26.11.2009 08:36:22 von Boyle Owen

> -----Original Message-----
> From: David Taveras [mailto:d3taveras38d3@gmail.com]=20
> Sent: Wednesday, November 25, 2009 10:56 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] apache 2.2.13 SSL renegotiation vulnerability
>=20
> Hello,
>=20
> Ive seen that 2.2.14 comes with a patch for the recent SSL
> renegotiation vulnerability. Could anybody tell me if there is a patch
> available for apache 2.2.13=20

The patch applies to four files in mod_ssl:

Index: modules/ssl/ssl_private.h
Index: modules/ssl/ssl_engine_init.c
Index: modules/ssl/ssl_engine_io.c
Index: modules/ssl/ssl_engine_kernel.c

If you compare the diffs between 2.2.13 and 2.2.14, you'll find that
there is only a difference in one file (ssl_engine_init.c) and even that
is only an edit within a line (so the line arrangement doesn't change).
Therefore, the patch _should_ work just fine with 2.2.13. Try it and let
us know!

> .. iam not ready to update yet.

If you're going to recompile a module, there's not much more effort to
just doing the whole thing..

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20

PS - To test the patch is working:
http://www.mail-archive.com/dev@httpd.apache.org/msg46109.ht ml

>=20
> Thank you.
>=20
> David
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP=20
> Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
>=20
=20
This message is for the named person's use only. It may contain =
confidential, proprietary or legally privileged information. If you =
receive this message in error, please notify the sender urgently and =
then immediately delete the message and any copies of it from your =
system. Please also immediately destroy any hardcopies of the message.=20
The sender's company reserves the right to monitor all e-mail =
communications through their networks.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org