About OpenSSL Security Advisory [07 Apr 2014]

 
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates
View previous topic :: View next topic  
Author Message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 932

PostPosted: Wed Apr 09, 2014 9:56 am    Post subject: About OpenSSL Security Advisory [07 Apr 2014] Reply with quote

Abyss Web Server uses for the SSL layer the library OpenSSL. A vulnerability has been discovered in recent releases of OpenSSL which in could allow a malicious client to read up to 64k of memory to of the server. While this sounds scary in theory, in the context of Abyss Web Server, the revealed memory should not contain any sensitive information that the attacker could use.

https://www.openssl.org/news/secadv_20140407.txt

Who is concerned by this vulnerability?

If you are using Abyss Web Server version 2.8.0.x or 2.9.0.x, you are using a vulnerable version of OpenSSL.

If you do not have a HTTPS host, you are not using OpenSSL and you are not affected.

Solutions if you are concerned by the vulnerability

If you are using Abyss Web Server X1 (the free edition): You can immediately upgrade to the latest version of Abyss Web Server 2.9.3.1 which is not affected. This version have not been officially announced but its X1 edition is ready for use and contains a fixed OpenSSL module:

Windows: http://www.aprelium.com/data/abwsx1-2-9-3-1.exe

Mac OS X: http://www.aprelium.com/data/abwsx1-2-9-3-1.dmg

Linux: http://www.aprelium.com/data/abwsx1-2-9-3-1.tgz

If you are using Abyss Web Server X2 (the professional edition) version 2.8.0.x or 2.9.0.x: The new version 2.9.3.1 will be ready within 48 hours and will be announced by email as usual.

Meanwhile, users of the Windows edition can upgrade their OpenSSL DLLs without changing Abyss Web Server. Please download the following ZIP file, and replace the files libeay32.dll and ssleay32.dll in Abyss Web Server directory with the copies you'll find in the ZIP (be sure to get them from the right subdirectory: x86 for 32-bit Windows systems and x64 for 64-bit Windows systems.

http://www.aprelium.com/data/abyssws-openssl-101g.zip

Thank you for your understanding.
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com


Last edited by admin on Thu Mar 31, 2016 11:52 am; edited 1 time in total
Back to top View user's profile Send private message
admin
Site Admin


Joined: 03 Mar 2002
Posts: 932

PostPosted: Mon Apr 14, 2014 4:10 pm    Post subject: Re: About OpenSSL Security Advisory [07 Apr 2014] Reply with quote

Abyss Web Server 2.9.3 has just been released. Users of previous version should upgrade as soon as possible to fix the Heartbleed issue.

http://www.aprelium.com/news/abws293.html
_________________
Follow @abyssws on Twitter
Subscribe to our newsletter
_________________
Forum Administrator
Aprelium - https://aprelium.com
Back to top View user's profile Send private message
Axis
-


Joined: 29 Sep 2003
Posts: 336

PostPosted: Thu Apr 17, 2014 6:16 pm    Post subject: Disabled SSL/TLS compression Reply with quote

Thank you for your quick movement to address these issues. One question, though. It is stated, "Disabled SSL/TLS compression support to mitigate CRIME attacks."

Does this refer to the actual transmission of data via SSL/TLS or to the SSL pages themselves because if it is the latter, I am not seeing it. If I go to the my SSL page and read the server headers I see that the index for my SSL/TLS host reads "Content-Encoding: gzip."

I am guessing that you are referring to the actual transmission of data transmitted from that page, or rather during the "handshake", and not the page itself.

Would just like some confirmation on this.

Regards,
Axis
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> SSL/Certificates All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group