Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ? (770 Views)
Reply
Occasional Contributor
John Nebel
Posts: 5
Registered: ‎06-29-2005
Message 1 of 7 (900 Views)

SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Is there a patch available for the recent SSL exploits not fixed in  the 0.9.8h version built into SWS v2.2?

 

CVE-2010-4180 and CVE-2008-7270 

 

John Nebel

HP Pro
Ian Miller.
Posts: 4,371
Registered: ‎06-03-2003
Message 2 of 7 (883 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

If you log a call then HP support can tell you and supply the patch if there is one,.

____________________
Purely Personal Opinion
Honored Contributor
Hoff
Posts: 4,962
Registered: ‎01-29-2006
Message 3 of 7 (847 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Here's a collection of CVE listings I've collected from recent HP security announcements.

 

CVE-2010-4180 is listed.   CVE-2008-7270 is not.

 

Ring up HP support for the official answer.

Occasional Contributor
John Nebel
Posts: 5
Registered: ‎06-29-2005
Message 4 of 7 (826 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Hoff,

 

Thanks, I did open a case.

 

Since SWS has its own SSL,  SSL V1.4-453 does not fix the CVE-2010-4180 exploit for SWS.

 

Best,

 

John

Occasional Contributor
John Nebel
Posts: 5
Registered: ‎06-29-2005
Message 5 of 7 (817 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Hoff,

 

According to HP these two are not patched and have been referred to engineering.  I've discovered a workaround and that is to turn off the SSLSessionCache.

 

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
SSLSessionCache        none
#SSLSessionCache        shm:logs/ssl_scache(512000)
#SSLSessionCache         dbm:logs/ssl_scache
#SSLSessionCacheTimeout  300

 

Best,

 

John

Honored Contributor
Hoff
Posts: 4,962
Registered: ‎01-29-2006
Message 6 of 7 (813 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

If you are concerned around the status of SSL CVEs within Apache, consider a more detailed investigation into the current status, development plans, and remediation plans for OpenVMS and its web-facing and security-related components.

 

Occasional Contributor
John Nebel
Posts: 5
Registered: ‎06-29-2005
Message 7 of 7 (770 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

A new Apache ECO is available which incorporates OpenSSL 0.9.8o and is linked from:

 

http://h71000.www7.hp.com/openvms/products/ips/apache/csws_patches.html



John Nebel

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.