| View previous topic :: View next topic |
| Author |
Message |
admin
Site Admin
Joined: 03 Mar 2002
Posts: 1313
|
 Posted: Wed Apr 09, 2014 9:56 am Post subject: About OpenSSL Security Advisory [07 Apr 2014] |
 |
|
Abyss Web Server uses for the SSL layer the library OpenSSL. A vulnerability has been discovered in recent releases of OpenSSL which in could allow a malicious client to read up to 64k of memory to of the server. While this sounds scary in theory, in the context of Abyss Web Server, the revealed memory should not contain any sensitive information that the attacker could use.
https://www.openssl.org/news/secadv_20140407.txt
Who is concerned by this vulnerability?
If you are using Abyss Web Server version 2.8.0.x or 2.9.0.x, you are using a vulnerable version of OpenSSL.
If you do not have a HTTPS host, you are not using OpenSSL and you are not affected.
Solutions if you are concerned by the vulnerability
If you are using Abyss Web Server X1 (the free edition): You can immediately upgrade to the latest version of Abyss Web Server 2.9.3.1 which is not affected. This version have not been officially announced but its X1 edition is ready for use and contains a fixed OpenSSL module:
Windows: http://www.aprelium.com/data/abwsx1-2-9-3-1.exe
Mac OS X: http://www.aprelium.com/data/abwsx1-2-9-3-1.dmg
Linux: http://www.aprelium.com/data/abwsx1-2-9-3-1.tgz
If you are using Abyss Web Server X2 (the professional edition) version 2.8.0.x or 2.9.0.x: The new version 2.9.3.1 will be ready within 48 hours and will be announced by email as usual.
Meanwhile, users of the Windows edition can upgrade their OpenSSL DLLs without changing Abyss Web Server. Please download the following ZIP file, and replace the files libeay32.dll and ssleay32.dll in Abyss Web Server directory with the copies you'll find in the ZIP (be sure to get them from the right subdirectory: x86 for 32-bit Windows systems and x64 for 64-bit Windows systems.
http://www.aprelium.com/data/abyssws-openssl-101g.zip
Thank you for your understanding.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Last edited by admin on Thu Mar 31, 2016 11:52 am; edited 1 time in total |
|
| Back to top |
  |
 |
admin
Site Admin
Joined: 03 Mar 2002
Posts: 1313
|
|
| Back to top |
|
|
Axis
-
Joined: 29 Sep 2003
Posts: 336
|
| Posted: Thu Apr 17, 2014 6:16 pm Post subject: Disabled SSL/TLS compression |
|
|
Thank you for your quick movement to address these issues. One question, though. It is stated, "Disabled SSL/TLS compression support to mitigate CRIME attacks."
Does this refer to the actual transmission of data via SSL/TLS or to the SSL pages themselves because if it is the latter, I am not seeing it. If I go to the my SSL page and read the server headers I see that the index for my SSL/TLS host reads "Content-Encoding: gzip."
I am guessing that you are referring to the actual transmission of data transmitted from that page, or rather during the "handshake", and not the page itself.
Would just like some confirmation on this.
Regards,
Axis |
|
| Back to top |
|
|
|
