Cloud Testing Blog » Apache http://www.cloudtesting.com/blog Automated Functional, Cross Browser and Load Testing for Websites Fri, 23 Jul 2010 21:48:09 +0000 en hourly 1 http://wordpress.org/?v=3.0 Apache/mod_ssl vulnerability and mitigation http://www.cloudtesting.com/blog/2009/11/07/apachemod_ssl-vulnerability-and-mitigation/ http://www.cloudtesting.com/blog/2009/11/07/apachemod_ssl-vulnerability-and-mitigation/#comments Sat, 07 Nov 2009 09:51:13 +0000 Phil Smith - Cloud Testing http://blog.cloudtesting.com/?p=947 Apache HTTP feather logo

The following announcement has just been made to the announce mailing list:

Apache httpd is affected by CVE-2009-3555[1] (The SSL Injection or MiM attack[2]).

The Apache httpd webserver relies on OpenSSL for the implementation of the SSL/TLS protocol.

We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared to deploy OpenSSL 0.9.8m as it becomes available[3].

Note that these are for short term and mid-term mitigation only; the long term solution may well require a modification of the SSL and/or

TLS protocols[4].

For those who are not able to upgrade OpenSSL swiftly and/or for those who need detailed logging – we recommend that you roll out

this patch[5]:

http://www.apache.org/dist/httpd/patches/

apply_to_2.2.14 CVE-2009-3555-2.2.patch

sha1: 28cd58f3758f1add39417333825b9d854f4f5f43

as soon as possible. This is a partial fix in lieu of the protocol issues being addressed and further changes to OpenSSL. Like the

OpenSSL 0.9.8l stopgap measure this patch rejects in-session renegotiation.

If you are unable to patch and unable to roll our a newer version of OpenSSL, and you rely on Client Side Authentication with Certificates

then we recommend that you 1) ensure that you limit your configuration to a single ‘SSLClient require’ on VirtualHost/Sever level and 2)

remove all other (re)negotiation/require directives. However this does NOT fully protect you – it just curtails authentication in this

specific setting.

]]> http://www.cloudtesting.com/blog/2009/11/07/apachemod_ssl-vulnerability-and-mitigation/feed/ 0 Apache HTTP Server 2.2.13 http://www.cloudtesting.com/blog/2009/08/10/apache-http-server-2-2-13-released/ http://www.cloudtesting.com/blog/2009/08/10/apache-http-server-2-2-13-released/#comments Mon, 10 Aug 2009 15:36:43 +0000 Phil Smith - Cloud Testing http://blog.cloudtesting.com/2009/08/10/apache-http-server-2-2-13-released/ Apache HTTP feather logo

An updated version of the Apache 2.2 web server has been released. It is primarily a security and bug fix release. It also bundles version 1.3.8 of the APR Library version 1.3.9 of the APR Utility Library, which addresses a security concern that may be triggered by some 3rd party modules.

All users are encouraged to upgrade to this version.

For full details see the Apache HTTP Server website at http://httpd.apache.org/

If you need to check your websites, why not give Cloud Testing a try – http://www.cloudtesting.com/, we offer a Functional Testing Service, Cross Browser Testing Service and a Website Archiving Service.

]]> http://www.cloudtesting.com/blog/2009/08/10/apache-http-server-2-2-13-released/feed/ 0