OpenSSL 3.1.6 - Security Vulnerability
Posted by: jjuarez (155.135.55.---)
Date: September 25, 2024 07:11PM

Hello,

I was made aware of a security vulnerability related to OpenSSL version 3.1.6 (see below details). Note: I currently running Apache 2.4.62 and Wamp 3.3.6. Will there be an upgraded version of OpenSSL (i.e. 3.1.7) anytime soon? Thank you.

Details

Impact: Abnormal termination of an application can a cause a denial of service.

Vulnerability Insight: Applications performing certicate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the appli-
cation process.


References
cve: CVE-2024-6119
url: [openssl-library.org]
url: [openssl-library.org]
cert-bund: WID-SEC-2024-2040
dfn-cert: DFN-CERT-2024-2322
dfn-cert: DFN-CERT-2024-2285


Best,
Jeff

Options: ReplyQuote
Re: OpenSSL 3.1.6 - Security Vulnerability
Posted by: Otomatic (Moderator)
Date: September 25, 2024 08:01PM

Hi,

This is absolutely not the place to ask such questions!

Wampserver is just a user of Apache and openssl, and updates Apache as soon as a new version is released!

See at: https://www.apachelounge.com/ or https://www.apache.org/

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: OpenSSL 3.1.6 - Security Vulnerability
Posted by: CarlJames (---.toob.co.uk)
Date: September 26, 2024 11:33AM

Hello, OpenSSL have released a 3.1.7 update earlier this month: [openssl-library.org]

Do you know if we can expect to see a Wampserver addon with this soon?



Edited 1 time(s). Last edit at 09/26/2024 11:35AM by CarlJames.

Options: ReplyQuote
Re: OpenSSL 3.1.6 - Security Vulnerability
Posted by: Otomatic (Moderator)
Date: September 26, 2024 03:40PM

Hi,

> Do you know if we can expect to see a Wampserver addon with this soon?

I can only repeat what I said above:

-- Wampserver is just a user of Apache and openssl, and updates Apache as soon as a new version is released!

I'm not the one compiling Apache. There are no new Apache versions at Apache Lounge

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: OpenSSL 3.1.6 - Security Vulnerability
Posted by: jjuarez (155.135.55.---)
Date: September 30, 2024 06:53PM

Hi Otomatic ,
Thank you for the reply and the link to the Apache Lounge. I took a look at the site and on their downloads page (https://www.apachelounge.com/download/), they have a package that was released for Windows on 9/24/2024 ( httpd-2.4.62-240904-win64-VS17.zip) with the openSSL version 3.1.7 which is the latest. How soon unti lthis is available?

Gracias!
Jeff

Options: ReplyQuote
Re: OpenSSL 3.1.6 - Security Vulnerability
Posted by: Otomatic (Moderator)
Date: September 30, 2024 08:04PM

Hi,

I didn't sée this before closing my computer.
New Apache will be available tomorrow morning, France Time.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: OpenSSL 3.1.6 - Security Vulnerability
Posted by: Otomatic (Moderator)
Date: October 01, 2024 08:39AM

Hi,

For Apache 2.4.62-240904, the date is Y-M-D (Year Month Day) ie. 4 september 2024.

It is Apache 2.4.62.1 64 bit x64
- openssl 3.1.6
- nghttp2 1.62.1
- jansson 2.14
- curl 8.8.0
- apr 1.7.5
- apr-util 1.6.3
- apr-iconv 1.2.2
- zlib 1.3.1
- brotli 1.1.0
- pcre2 10.44
- libxml2 2.13.1
- lua 5.4.6
- expat 2.6.2
mod evasive 2.2.0 - mod security 2.9.7

Where have you seen an Apache version with openssl 3.1.7?

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: OpenSSL 3.1.6 - Security Vulnerability
Posted by: jjuarez (155.135.55.---)
Date: October 03, 2024 06:47PM

Hi Otomatic,

Here's how I found out that OpenSSL is included in

1. Go to [www.apachelounge.com]
2. On the left menu pane, click on "Downloads" (takes you here: [www.apachelounge.com])
3. In the section "Apache 2.4 binaries VS17", look for the subtitle "Apache 2.4.62-240904 Win64" (in green text)
4. Click on the "httpd-2.4.62-240904-win64-VS17.zip " hyperlink to download the package
5. Once you've downloaded the package, extract the files and navigate to ~\httpd-2.4.62-240904-win64-VS17.zip\Apache24\bin
6. look for the openssl.exe
7. right-click on the file > properties > Details - this will show you the "product version" and also "file version" - both are 3.1.7

Hope that helps.

Options: ReplyQuote
Re: OpenSSL 3.1.6 - Security Vulnerability
Posted by: Otomatic (Moderator)
Date: October 04, 2024 08:50AM

Hi,

You're right. After investigation, it turns out that the numbering error is in the Apache Lounge changelog:
Apache httpd 2.4.62 GA Available :: Update

The version available for Wampserver Apache 2.4.62.1 includes openssl 3.1.7, I have corrected the display accordingly.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Options: ReplyQuote
Re: OpenSSL 3.1.6 - Security Vulnerability
Posted by: jjuarez (155.135.55.---)
Date: October 07, 2024 06:53PM

Thanks for the follow-up Otomatic. I will work on updating our WampServer to this version. Appreciate the help.

Jeff

Options: ReplyQuote


Sorry, only registered users may post in this forum.