Thank you for the clarification.
I can confirm that mod_ssl uses system OpenSSL library, I'm sorry for misunderstanding.
But I can not confirm that OpenSSL version, reported in headers by httpd is the one used to compile mod_ssl.
I had OpenSSL 3.0.8 installed and this was reported by httpd as version 1.1.1t.
I upgraded OpenSSL to the latest available version 3.0.10 and httpd reported version changed to 1.1.1v, so this is really a dynamic value.
BTW, this CVE is fixed in OpenSSL 3.0.13, which is not available from IBM yet.
Thank you for your time.
------------------------------
Jurij Sikorsky
------------------------------
Original Message:
Sent: Thu December 14, 2023 07:39 AM
From: Ayappan P
Subject: httpd security vulnerability fix
mod_ssl is dynamically linked to the openssl library (libssl & libcrypto). There is no need to recompile mod_ssl with the latest openssl. So updating openssl in the machine is enough here. Tenable has this problem of looking at the openssl used to compile the mod_ssl rather than openssl installed in the machine. This needs to be changed.
------------------------------
Ayappan P
Original Message:
Sent: Thu December 14, 2023 05:14 AM
From: Jurij Sikorsky
Subject: httpd security vulnerability fix
Hi Reshma,
is there a plan to update mod_ssl to more recent version?
There is a published CVE-2023-5678 for OpenSSL versions < 1.1.1x.
The latest version in the repository has version 1.1.1t and Tenable is marking this as a security issue.
< Server: Apache/2.4.58 (Unix) OpenSSL/1.1.1t
Thank you in advance,
Jurij
------------------------------
Jurij Sikorsky
Original Message:
Sent: Tue December 05, 2023 02:29 AM
From: RESHMA KUMAR
Subject: httpd security vulnerability fix
httpd-2.4.58-1.aix7.1.ppc.rpm is now available in AIX Toolbox.
This version of httpd has fixes for the following security vulnerabilities.
CVE-2023-45802
CVE-2023-43622
CVE-2023-31122
You can use DNF to update to this version of package from the AIX Toolbox repository.
------------------------------
RESHMA KUMAR
------------------------------