Bug 61934 - Impact of CVE-2017-3737 on Apache HTTP Server
Summary: Impact of CVE-2017-3737 on Apache HTTP Server
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Other Modules (show other bugs)
Version: 2.4.1
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2017-12-28 10:11 UTC by Ravi Shankar
Modified: 2018-01-09 04:11 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Ravi Shankar 2017-12-28 10:11:50 UTC

OpenSSL has recently published information and fixes for CVE-2017-3737 (https://www.openssl.org/news/secadv/20171207.txt). Several OS and product vendors have issued updates to take care of this. I understand OpenSSL is used by certain in-built modules in Apache HTTP Server. 

Considering this fact, is Apache HTTP Server affected by the vulnerability?
Comment 1 Eric Covener 2017-12-28 13:37:41 UTC
mod_ssl seems to more closely match the 'safe' path w/ state/error checking in the three places it does handshakes.  Either way, the only sane suggestion is to use an unaffected openssl.

Presumably vendors are updating their openssl builds, not changing how they call openssl.

Leaving in "NEW" in case someone wants to look more closely.
Comment 2 Ravi Shankar 2018-01-09 04:11:44 UTC
Hello Team

Any further update on this?