Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ? (518 Views)
Reply
Occasional Contributor
John Nebel
Posts: 5
Registered: ‎06-29-2005
Message 1 of 7 (648 Views)

SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Is there a patch available for the recent SSL exploits not fixed in  the 0.9.8h version built into SWS v2.2?

 

CVE-2010-4180 and CVE-2008-7270 

 

John Nebel

Please use plain text.
HP Pro
Ian Miller.
Posts: 4,370
Registered: ‎06-03-2003
Message 2 of 7 (631 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

If you log a call then HP support can tell you and supply the patch if there is one,.

___________________
Purely Personal Opinion
Please use plain text.
Honored Contributor
Hoff
Posts: 4,907
Registered: ‎01-29-2006
Message 3 of 7 (595 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Here's a collection of CVE listings I've collected from recent HP security announcements.

 

CVE-2010-4180 is listed.   CVE-2008-7270 is not.

 

Ring up HP support for the official answer.

Please use plain text.
Occasional Contributor
John Nebel
Posts: 5
Registered: ‎06-29-2005
Message 4 of 7 (574 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Hoff,

 

Thanks, I did open a case.

 

Since SWS has its own SSL,  SSL V1.4-453 does not fix the CVE-2010-4180 exploit for SWS.

 

Best,

 

John

Please use plain text.
Occasional Contributor
John Nebel
Posts: 5
Registered: ‎06-29-2005
Message 5 of 7 (565 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Hoff,

 

According to HP these two are not patched and have been referred to engineering.  I've discovered a workaround and that is to turn off the SSLSessionCache.

 

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
SSLSessionCache        none
#SSLSessionCache        shm:logs/ssl_scache(512000)
#SSLSessionCache         dbm:logs/ssl_scache
#SSLSessionCacheTimeout  300

 

Best,

 

John

Please use plain text.
Honored Contributor
Hoff
Posts: 4,907
Registered: ‎01-29-2006
Message 6 of 7 (561 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

If you are concerned around the status of SSL CVEs within Apache, consider a more detailed investigation into the current status, development plans, and remediation plans for OpenVMS and its web-facing and security-related components.

 

Please use plain text.
Occasional Contributor
John Nebel
Posts: 5
Registered: ‎06-29-2005
Message 7 of 7 (518 Views)

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

A new Apache ECO is available which incorporates OpenSSL 0.9.8o and is linked from:

 

http://h71000.www7.hp.com/openvms/products/ips/apache/csws_patches.html



John Nebel

Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation