AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only

  • 1.  httpd security vulnerability fix

    Posted Tue December 05, 2023 02:29 AM

    httpd-2.4.58-1.aix7.1.ppc.rpm is now available in AIX Toolbox.

    This version of httpd has fixes for the following security vulnerabilities.

    CVE-2023-45802
    CVE-2023-43622
    CVE-2023-31122


    You can use DNF to update to this version of package from the AIX Toolbox repository.



    ------------------------------
    RESHMA KUMAR
    ------------------------------


  • 2.  RE: httpd security vulnerability fix

    Posted Thu December 14, 2023 07:16 AM

    Hi Reshma,

    is there a plan to update mod_ssl to more recent version?

    There is a published CVE-2023-5678 for OpenSSL versions < 1.1.1x.

    The latest version in the repository has version 1.1.1t and Tenable is marking this as a security issue.

    < Server: Apache/2.4.58 (Unix) OpenSSL/1.1.1t

    Thank you in advance,

    Jurij



    ------------------------------
    Jurij Sikorsky
    ------------------------------

    Original Message


  • 3.  RE: httpd security vulnerability fix

    Posted Thu December 14, 2023 07:40 AM

    mod_ssl is dynamically linked to the openssl library (libssl & libcrypto). There is no need to recompile mod_ssl with the latest openssl.  So updating openssl in the machine is enough here. Tenable has this problem of looking at the openssl used to compile the mod_ssl rather than openssl installed in the machine.  This needs to be changed. 



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 4.  RE: httpd security vulnerability fix

    Posted Tue December 19, 2023 07:04 PM

    Thank you for the clarification.

    I can confirm that mod_ssl uses system OpenSSL library, I'm sorry for misunderstanding.

    But I can not confirm that OpenSSL version, reported in headers by httpd is the one used to compile mod_ssl.

    I had OpenSSL 3.0.8 installed and this was reported by httpd as version 1.1.1t.

    I upgraded OpenSSL to the latest available version 3.0.10 and httpd reported version changed to 1.1.1v, so this is really a dynamic value.

    BTW, this CVE is fixed in OpenSSL 3.0.13, which is not available from IBM yet.

    Thank you for your time.



    ------------------------------
    Jurij Sikorsky
    ------------------------------

    Original Message