OpenCSW Bug Tracker


Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0005174 [apache2] upgrade minor have not tried 2014-05-26 15:17 2016-09-27 13:34
Reporter briandking View Status public  
Assigned To dam
Priority normal Resolution fixed  
Status closed  
Summary 0005174: Update mod_ssl to be based on openssl 1.0.1g for heartbleed bug
Description Mod_ssl packaged with the current CSWapache2 appears to be based on a version of openssl that was vulnerable to the heartbleed bug:

bash-3.2# strings /opt/csw/apache2/libexec/mod_ssl.so | grep -i openssl
...
OpenSSL 1.0.1f 6 Jan 2014


A newer version of the apache 2.2 line is released as well, which contains a couple of security fixed. CSWapache2 is currently at 2.2.26 and the current apache release is 2.2.27:

http://www.apache.org/dist/httpd/Announcement2.2.html [^]
Additional Information
Tags No tags attached.
Attached Files

- Relationships

-  Notes
(0010844)
dam (administrator)
2014-06-02 09:20

Regarding OpenSSL: It shouldn't matter which string is put inside mod_ssl, look at the actual shared library binding:

root@web [web]:/root > ldd -r /opt/csw/apache2/libexec/mod_ssl.so | less
        libssl.so.1.0.0 => /opt/csw/lib/sparcv8plus+vis/libssl.so.1.0.0
        libcrypto.so.1.0.0 => /opt/csw/lib/sparcv8plus+vis/libcrypto.so.1.0.0
...

which is part of OpenSSL 1.0.1g:

root@web [web]:/root > pkginfo -x CSWlibssl1-0-0
CSWlibssl1-0-0 libssl1_0_0 - Openssl 1.0 runtime libraries
                (sparc) 1.0.1g,REV=2014.04.08

I just started rerolling 2.2.27.
(0010846)
dam (administrator)
2014-06-02 11:38

An updated Apache 2.2.27 will show up here soon:
  http://buildfarm.opencsw.org/experimental.html#apache22 [^]
Please let me know if to works so I can push it to unstable/.
(0011192)
briandking (reporter)
2016-09-26 17:15

This issue can be closed


Copyright © 2000 - 2008 Mantis Group
Powered by Mantis Bugtracker