08-01-2011 03:02 PM
Is there a patch available for the recent SSL exploits not fixed in the 0.9.8h version built into SWS v2.2?
CVE-2010-4180 and CVE-2008-7270
08-03-2011 03:16 PM
CVE-2010-4180 is listed. CVE-2008-7270 is not.
Ring up HP support for the official answer.
08-06-2011 05:58 AM
According to HP these two are not patched and have been referred to engineering. I've discovered a workaround and that is to turn off the SSLSessionCache.
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First either `none'
# or `dbm:/path/to/file' for the mechanism to use and
# second the expiring timeout (in seconds).
08-06-2011 08:03 AM
If you are concerned around the status of SSL CVEs within Apache, consider a more detailed investigation into the current status, development plans, and remediation plans for OpenVMS and its web-facing and security-related components.
08-19-2011 12:26 PM
A new Apache ECO is available which incorporates OpenSSL 0.9.8o and is linked from: