Welcome! Log In Create A New Profile

Advanced

Re: [nginx-announce] nginx-1.10.0

Previous Message Next Message
Forum List Message List New Topic Print View
OlegKi
April 27, 2016 06:02AM
Hi Kevin,

You write on the https://kevinworthington.com/ site:

> This release was built using OpenSSL 1.0.2g – upgrading is advised.

but both Stable version 1.10.0 (64-bit) 26 Apr 2016 and Mainline version 1.9.15 (64-bit) 20 Apr 2016 are built with OpenSSL 1.0.1g 7 Apr 2014, which have serious security problem: OpenSSL CCS vuln. (CVE-2014-0224) described on https://blog.qualys.com/ssllabs/2014/06/13/ssl-pulse-49-vulnerable-to-cve-2014-0224-14-exploitable and https://www.openssl.org/news/secadv/20140605.txt.

One can easy verify it by usage nginx -V:
C:\nginx>nginx -V
nginx version: nginx/1.10.0
built by gcc 4.8.2 (GCC)
built with OpenSSL 1.0.1g 7 Apr 2014
TLS SNI support enabled
configure arguments: ...

The tests from https://www.ssllabs.com/ssltest/ and https://www.htbridge.com/ssl/ confirm the same too.

Could you rebuild the binaries with OpenSSL 1.0.2g and to provide there on https://kevinworthington.com/nginx-for-windows/ ?

Thanks in advance
Oleg
Reply Quote
RSS
Subject Author Posted

Re: [nginx-announce] nginx-1.10.0

Kevin Worthington April 26, 2016 10:30AM

Re: [nginx-announce] nginx-1.10.0

OlegKi April 27, 2016 06:02AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 322
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready