Apache « Cloud Testing Blog

Apache/mod_ssl vulnerability and mitigation

November 7, 2009

Apache HTTP feather logo

The following announcement has just been made to the announce mailing list:

Apache httpd is affected by CVE-2009-3555[1] (The SSL Injection or MiM attack[2]).

The Apache httpd webserver relies on OpenSSL for the implementation of the SSL/TLS protocol.

We strongly urge you to upgrade to OpenSSL 0.9.8l; and to be prepared to deploy OpenSSL 0.9.8m as it becomes available[3].

Note that these are for short term and mid-term mitigation only; the long term solution may well require a modification of the SSL and/or

TLS protocols[4].

For those who are not able to upgrade OpenSSL swiftly and/or for those who need detailed logging – we recommend that you roll out

this patch[5]:

http://www.apache.org/dist/httpd/patches/

apply_to_2.2.14 CVE-2009-3555-2.2.patch

sha1: 28cd58f3758f1add39417333825b9d854f4f5f43

as soon as possible. This is a partial fix in lieu of the protocol issues being addressed and further changes to OpenSSL. Like the

OpenSSL 0.9.8l stopgap measure this patch rejects in-session renegotiation.

If you are unable to patch and unable to roll our a newer version of OpenSSL, and you rely on Client Side Authentication with Certificates

then we recommend that you 1) ensure that you limit your configuration to a single ‘SSLClient require’ on VirtualHost/Sever level and 2)

remove all other (re)negotiation/require directives. However this does NOT fully protect you – it just curtails authentication in this

specific setting.

Leave a Comment » | Apache | Tagged: Apache, mod_ssl | Permalink
Posted by Phil Smith - Cloud Testing

Apache HTTP Server 2.2.13 Released

August 10, 2009

Apache HTTP feather logo

An updated version of the Apache 2.2 web server has been released. It is primarily a security and bug fix release. It also bundles version 1.3.8 of the APR Library version 1.3.9 of the APR Utility Library, which addresses a security concern that may be triggered by some 3rd party modules.

All users are encouraged to upgrade to this version.

For full details see the Apache HTTP Server website at http://httpd.apache.org/

If you need to check your websites, why not give Cloud Testing a try – http://www.cloudtesting.com/, we offer a Functional Testing Service, Cross Browser Testing Service and a Website Archiving Service.

Leave a Comment » | Apache | Tagged: Apache, HTTP Server | Permalink
Posted by Phil Smith - Cloud Testing

Categories

CloudTesting Blog (new)

CMS Version Control – White Paper March 4, 2011

We’re pleased to announce the release the second in our series of White Papers, which covers CMS (Content Management System) Version Control. “Regulatory bodies from Government to Advertising Standards and Industry watchdogs have been increasingly focusing their attention on the digital communications displayed across corporate websites…” It can be downloade […]

UK Websites must now be legal, decent, honest and truthful! February 8, 2011

The ASA (Advertising Standards Authority) is the UK’s independent watchdog which maintains standards in advertising for the benefit of consumers, advertisers and society at large. The Committee of Advertising Practice (CAP) regulates non-broadcast advertising. It was set up in 1961 to regulate all print advertising and prevent the need for government l […]

FSA Website Archiving Regulations and Compliance January 27, 2011

The UK’s Financial Services Authority (FSA) lists its regulations and guidance regarding website archiving in its ‘Conducting Of Business Sourcebook’ (COBS). COBS 4 covers ‘Communicating with clients, including financial promotions’ and COBS 5 covers ‘Distance communications’, both of which have state the information that need to be stored. More information […]

New user admin module enabled for Website Archiving service January 17, 2011

We’re pleased to announce that the new user administration module for the Website Archiving service has been enabled. This now allows users who have been nominated as ‘Admin’ users to add or modify other users for their archiving accounts. This feature has always been available in our Functional / Cross Browser testing service (see www.cloudtesting.com) [.. […]

New Website Archiving Feature – Get an email when your site changes November 10, 2010

We’ve just released a new feature for our Website-Archive service, aimed at compliance officers, however it can be used by anyone. When we detect a change in the page we archive, we send an email (as below) to notify you of the fact. If you would like to know more about this or any of [...]

File & Document Archiving Released November 10, 2010

We’re pleased to announce that our File and Document Archiving has now moved out of Beta and is available to all subscribers. It is similar in concept to our standard Website Archiving, in that it is an outsourced managed service. Just tell us what you want archiving and we’ll do the rest. The captured files [...]

Authenticity signatures for your archives August 18, 2010

We’ve just released another new feature for our Website Archiving service, which allows you to easily view the authenticity signatures for your archives. We capture, calculate and store a number of signatures to ensure the integrity of the archived information. You can view an on-line demo version of the service at http://www.website-archive.com/.

FRCP Compliance July 12, 2010

The Federal Rules of Civil Procedure FRCP govern civil procedure (i.e. for civil lawsuits) in United States district (federal) courts. The two applicable rules are: Rule 26 – Duty to Disclose; General Provisions Governing Discovery Rule 37 – Failure to Make Disclosure or Cooperate in Discovery For more detail see: http://www.frcp-compliance.com h […]

FINRA Compliance July 9, 2010

FINRA (Financial Industry Regulatory Authority) was created in July 2007 with the consolidation of the regulation enforcement and arbitration functions of the New York Stock Exchange with the National Association Of Securities Dealers (NASD). FINRA in conjunction with the Securities and Exchange Commission (SEC) are regulatory agencies for the financial serv […]

Daily, Weekly and Monthly Archive Views May 26, 2010

You can now view the captured screenshots of your website in either Daily, Weekly or Montly views. The daily view is a single day with previous and next buttons for navigation: The weekly view is a seven day at a time view, again with previous and next buttons for navigation: The montly view is a [...]

Website-Archive.com Blog

What is eDiscovery?

eDiscovery (also known as e-discovery or electronic discovery) is a process where electronic data is sought, located, secured, and searched to be used as evidence in a civil or criminal legal case. All types of data and computer files can be used – text, images, databases, spreadsheets, audio files, video files and websites. To secure [...]

Phil Smith

PHP / Web Developer

Role: PHP Developer Salary: To £30K depending on experience Based: Guildford, Surrey We are looking for an experienced PHP developer to join our expanding team in Guildford developing a new User eXperience (UX) product. Key skills include PHP 5, MySQL, CSS, JavaScript, jQuery Experience of web analytics and / or website performance monitoring would be [...]

Phil Smith

C / Linux Developer

Role: C / Linux Developer Salary: To £30K depending on experience Based: Guildford, Surrey We are looking for an experienced C / Linux developer to join our expanding team in Guildford developing a new User eXperience (UX) product. Key skills include C, MySQL, Linux, TCP/IP, Networking Experience of web analytics and / or website performance [...]

Phil Smith

We’re now hiring….

As part of our continued expansion, we’re hiring – see our new careers for all our latest vacancies. http://www.cloudtesting.com/careers.php

Phil Smith

Regulatory Compliance and eDiscovery

We provide our customers with a fast set-up and easy to use solution for the need to comply with Information Governance regulations around web-content. FINRA (US) – Financial Industry Regulatory Authority – www.finra-compliance.com SEC (US) – Securities and Exchange Commission – www.sec-compliance.net NASD (US) – National Associ […]

Phil Smith

Website eDiscovery

We’ve launched a new site dedicated to website eDiscovery and archiving for compliance: http://www.website-ediscovery.com/

Phil Smith

Updated eDiscovery website

Phil Smith

Archive your website in Firefox 4.0 or Internet Explorer 9

Phil Smith

Need FSA (Financial Services Authority) compliance?

Need FSA (Financial Services Authority) compliance? http://www.fsa-compliance.com/

Phil Smith

Need Freedom of Information Act website compliance?

Need Freedom of Information Act website compliance? http://www.foi-compliance.com/

Phil Smith

Cloud Testing Blog

Apache/mod_ssl vulnerability and mitigation

Apache HTTP Server 2.2.13 Released

Recent Posts

Cloudtesting on Twitter

Pages

Blogroll

Links

Tags

Archives

Categories

CloudTesting Blog (new)

Website-Archive.com Blog

Follow “Cloud Testing Blog”