Simpler Navigation for Servers and Operating Systems - Please Update Your Bookmarks
Completed: a much simpler Servers and Operating Systems section of the Community. We combined many of the older boards, so you won't have to click through so many levels to get at the information you need. Check the consolidated boards here as many sub-forums are now single boards.
If you have bookmarked forums or discussion boards in Servers and Operating Systems, we suggest you check and update them as needed.
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

John Nebel
Occasional Contributor

SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Is there a patch available for the recent SSL exploits not fixed in  the 0.9.8h version built into SWS v2.2?

 

CVE-2010-4180 and CVE-2008-7270

 

John Nebel

6 REPLIES
Ian Miller.
Honored Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

If you log a call then HP support can tell you and supply the patch if there is one,.

____________________
Purely Personal Opinion
Hoff
Honored Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Here's a collection of CVE listings I've collected from recent HP security announcements.

 

CVE-2010-4180 is listed.   CVE-2008-7270 is not.

 

Ring up HP support for the official answer.

John Nebel
Occasional Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Hoff,

 

Thanks, I did open a case.

 

Since SWS has its own SSL,  SSL V1.4-453 does not fix the CVE-2010-4180 exploit for SWS.

 

Best,

 

John

John Nebel
Occasional Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Hoff,

 

According to HP these two are not patched and have been referred to engineering.  I've discovered a workaround and that is to turn off the SSLSessionCache.

 

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
SSLSessionCache        none
#SSLSessionCache        shm:logs/ssl_scache(512000)
#SSLSessionCache         dbm:logs/ssl_scache
#SSLSessionCacheTimeout  300

 

Best,

 

John

Hoff
Honored Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

If you are concerned around the status of SSL CVEs within Apache, consider a more detailed investigation into the current status, development plans, and remediation plans for OpenVMS and its web-facing and security-related components.

 

Highlighted
John Nebel
Occasional Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

A new Apache ECO is available which incorporates OpenSSL 0.9.8o and is linked from:

 

http://h71000.www7.hp.com/openvms/products/ips/apache/csws_patches.html

John Nebel