[apache2 0005174]: Update mod_ssl to be based on openssl 1.0.1g for heartbleed bug

Mantis Bug Tracker via bug-notifications bug-notifications at lists.opencsw.org
Mon Jun 2 09:20:12 CEST 2014


A NOTE has been added to this issue. 
====================================================================== 
https://www.opencsw.org/mantis/view.php?id=5174 
====================================================================== 
Reported By:                briandking
Assigned To:                dam
====================================================================== 
Project:                    apache2
Issue ID:                   5174
Category:                   upgrade
Reproducibility:            have not tried
Severity:                   minor
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             2014-05-26 15:17 CEST
Last Modified:              2014-06-02 09:20 CEST
====================================================================== 
Summary:                    Update mod_ssl to be based on openssl 1.0.1g for
heartbleed bug
Description: 
Mod_ssl packaged with the current CSWapache2 appears to be based on a
version of openssl that was vulnerable to the heartbleed bug:

bash-3.2# strings /opt/csw/apache2/libexec/mod_ssl.so | grep -i openssl
...
OpenSSL 1.0.1f 6 Jan 2014


A newer version of the apache 2.2 line is released as well, which contains
a couple of security fixed. CSWapache2 is currently at 2.2.26 and the
current apache release is 2.2.27:

http://www.apache.org/dist/httpd/Announcement2.2.html

====================================================================== 

---------------------------------------------------------------------- 
 (0010844) dam (administrator) - 2014-06-02 09:20
 https://www.opencsw.org/mantis/view.php?id=5174#c10844 
---------------------------------------------------------------------- 
Regarding OpenSSL: It shouldn't matter which string is put inside mod_ssl,
look at the actual shared library binding:

root at web [web]:/root > ldd -r  /opt/csw/apache2/libexec/mod_ssl.so | less
        libssl.so.1.0.0 =>      
/opt/csw/lib/sparcv8plus+vis/libssl.so.1.0.0
        libcrypto.so.1.0.0 =>   
/opt/csw/lib/sparcv8plus+vis/libcrypto.so.1.0.0
...

which is part of OpenSSL 1.0.1g:

root at web [web]:/root > pkginfo -x CSWlibssl1-0-0
CSWlibssl1-0-0  libssl1_0_0 - Openssl 1.0 runtime libraries
                (sparc) 1.0.1g,REV=2014.04.08

I just started rerolling 2.2.27.



More information about the bug-notifications mailing list