CVE-2014-0160 / heartbleed openssl bug & mod_spdy

[JT Olds]

In trying to fix the most recent openssl vulnerability on my Apache servers, installing the latest Apache and openssl was not enough to fix the vulnerability.

Since mod-spdy is built against openssl, it was keeping the vulnerability alive until I disabled it.

mod-spdy packages need to be rebuilt, or uninstalled.

You can check if your system is vulnerable with a tool like https://github.com/titanous/heartbleeder/

[Tarun Reddy]

I guess we'll finally find out if this project is dead or not. No updates on Spdy 3.1 were one thing, but this effectively kills the project if we don't have a fix. I'm uninstalling now.

[Eric Reiche]

Yes, it took me a while to realize that it was mod_spdy causing this problem. Uninstalled it, too.

[Matthew Steele]

Hi all,

Thanks for the report.  I am working on updating mod_spdy's openssl version and getting a new release out ASAP.

--
You received this message because you are subscribed to the Google Groups "mod-spdy-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-spdy-discu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mike Lawson]

Looks like yesterday's update (v0.9.4.2) has added ECDHE and support for Forward Security.    Thumbs up for that!