Apache Friends Support Forum

[ishin1202]

Hello,

XAMPP 8.1.6 release (Apache 2.4.53) phpinfo shows OpenSSL version 1.1.1n instead of 1.1.1o. After upgrading to the new release 8.1.6 from 8.1.5, Tenable Nessus scanning still shows OpenSSL < 1.1.1o vulnerability. Is there a way to upgrade OpenSSL manually or any plan for update? I am running the service in Windows environment.

Please help.

[Altrea]

Hi,

I doubt you are using Nessus Scans in non commercial environments, so first of all some Information about Scope of support in enterprise or commercial oriented environments:
[INFO] How to not fail getting help here

Now some more information about XAMPP and vulnerabilities (and vulnerability scanners). XAMPP is not designed for public accessible, or critical production servers. Therefore many vulnerabilities are not that critical in XAMPP context if you are using XAMPP for what it is designed, as local test and development environment. It is in the responsibility of every IT professional to read and analyze vulnerability reports and set them in context of the software and environments it is used in. If a negative vulnerability scan for XAMPP is a major problem in your company that needs to get fixed as fast as possible and you either:

• cannot wait for Bitnami to release a new XAMPP version fixing this issue
• cannot fix this issue by yourself
• cannot pay an IT freelancer to fix that problem for you

then XAMPP is probably not the right tool for your environment.

Last information i want to address is that XAMPP and this community support board does not provide any support updating any of the core single components.

But because it is that easy i will try to help you anyway.

• DO A FULL BACKUP OF YOUR XAMPP ENVIRONMENT!
  I cannot stress this enough! We cannot help you with data loss, so better to be safe than sorry
• No warranty or support if anything is not working anymore after this fix
• copy your \xampp\apache\conf\ folder, you will need this later
• Download "httpd-2.4.53-win64-VS16.zip" from here: https://www.apachelounge.com/download/
• Extract the zip to a destination of your choice
• Stop Apache
• Copy from the zips Apache24 folder all contents except the "htdocs" and "cgi-bin" folder
• paste this contents to your \xampp\apache\ folder and overwrite everything
• copy back your saved \xampp\apache\conf\ files

[ishin1202]

Thank you for your reply. I will wait for the new XAMPP update since my environment is not in public accessible nor critical production servers. The XAMPP provides a great (convenient) way to setup a development server. I been never think of setup a development environment without XAMPP. I've tested Nessus for only internal VA scan.

As you know, updating only httpd-2.4.53 would not be fully patching the OpenSSL < 1.1.1o vulnerability because PHP extension is still using OpenSSL 1.1.1n. (15 Mar 2022 (Library: OpenSSL 1.1.1] 24 Aug 2021 check php/extras/openssl) I strongly believe XAMPP team will apply the patch and announce the new release. If I must go to the cloud or public environment, I will definitely follow "Host your Application in the Amazon Cloud with XAMPP and Bitnami" manual.

Always appreciate your hard work!