AIX Open Source

 View Only

  • 1.  httpd security vulnerability fix

    Posted Tue December 05, 2023 02:29 AM

    httpd-2.4.58-1.aix7.1.ppc.rpm is now available in AIX Toolbox.

    This version of httpd has fixes for the following security vulnerabilities.

    CVE-2023-45802
    CVE-2023-43622
    CVE-2023-31122


    You can use DNF to update to this version of package from the AIX Toolbox repository.



    ------------------------------
    RESHMA KUMAR
    ------------------------------


  • 2.  RE: httpd security vulnerability fix

    Posted Thu December 14, 2023 07:16 AM

    Hi Reshma,

    is there a plan to update mod_ssl to more recent version?

    There is a published CVE-2023-5678 for OpenSSL versions < 1.1.1x.

    The latest version in the repository has version 1.1.1t and Tenable is marking this as a security issue.

    < Server: Apache/2.4.58 (Unix) OpenSSL/1.1.1t

    Thank you in advance,

    Jurij



    ------------------------------
    Jurij Sikorsky
    ------------------------------

    Original Message


  • 3.  RE: httpd security vulnerability fix

    Posted Thu December 14, 2023 07:40 AM

    mod_ssl is dynamically linked to the openssl library (libssl & libcrypto). There is no need to recompile mod_ssl with the latest openssl.  So updating openssl in the machine is enough here. Tenable has this problem of looking at the openssl used to compile the mod_ssl rather than openssl installed in the machine.  This needs to be changed. 



    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 4.  RE: httpd security vulnerability fix

    Posted Tue December 19, 2023 07:04 PM

    Thank you for the clarification.

    I can confirm that mod_ssl uses system OpenSSL library, I'm sorry for misunderstanding.

    But I can not confirm that OpenSSL version, reported in headers by httpd is the one used to compile mod_ssl.

    I had OpenSSL 3.0.8 installed and this was reported by httpd as version 1.1.1t.

    I upgraded OpenSSL to the latest available version 3.0.10 and httpd reported version changed to 1.1.1v, so this is really a dynamic value.

    BTW, this CVE is fixed in OpenSSL 3.0.13, which is not available from IBM yet.

    Thank you for your time.



    ------------------------------
    Jurij Sikorsky
    ------------------------------

    Original Message