Xampp openSSL 1.0.1 critical bug

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Xampp openSSL 1.0.1 critical bug

Postby pradas » 09. April 2014 14:47

http://heartbleed.com/

How to fix heartbleed openSSL bug in Xampp v1.8.3-3 (openSSL 1.0.1)

1. Test you site:
http://possible.lv/tools/hb/
If have: "Server is vulnerable, please upgrade software ASAP."
2. You need:
Download http://www.apachelounge.com/download/
httpd-2.4.9-win32-VC11.zip and unpack arhive
3. Shutdown Apache service!
4. Copy and replace all files from unpacked arhive "apache24\bin to Your xampp directory disk:\xampp\apache\bin (in xampp folder not need delete any files, just replace!!!)
WARNING Please backup bin directory!!!
5. Start Apache service!
6. Test server again http://possible.lv/tools/hb/
7. Enjoy "Your server appears to be patched against this bug."
+ now update Apache from 2.4.7 to 2.4.9

P.S. After 1-2 days update new from 1.0.1g to 1.0.2 openssl stable (curent 1.0.2 beta)
https://www.openssl.org/news/secadv_20140407.txt
pradas
 
Posts: 4
Joined: 09. April 2014 10:30
Operating System: Server 2012

Re: Xampp openSSL 1.0.1 critical bug

Postby Papache » 10. April 2014 06:00

http://sourceforge.net/projects/xampp/files/security/2014-04%20Heartbleed/
Papache
 
Posts: 5
Joined: 09. April 2014 08:45
Operating System: Linux

Re: Xampp openSSL 1.0.1 critical bug

Postby Beltran » 10. April 2014 10:08

We are working on releasing new versions and a fix for this issue. We are going to publish them today.
User avatar
Beltran
Power-User
 
Posts: 108
Joined: 22. March 2013 12:29
Operating System: Windows, Linux, OS X

Re: Xampp openSSL 1.0.1 critical bug

Postby Beltran » 10. April 2014 12:26

Hi,

We released new versions of XAMPP that fixes this issue. This release addresses the important OpenSSL Heartbleed security issue. You can download new versions at http://www.apachefriends.org/download.html. We also released patches to fix the OpenSSL Heartbleed issue in previous installations at https://www.apachefriends.org/blog/heartbleed-bug.html.

v1.8.3-4

Updated OpenSSL to 1.0.1g
Updated Apache to 2.4.9
Updated PHP to 5.4.27
phpMyAdmin 4.1.12

v1.8.2-5

Updated OpenSSL to 1.0.1g
Updated Apache to 2.4.9
Updated PHP to 5.5.11
phpMyAdmin 4.1.12
User avatar
Beltran
Power-User
 
Posts: 108
Joined: 22. March 2013 12:29
Operating System: Windows, Linux, OS X

Re: Xampp openSSL 1.0.1 critical bug

Postby net.work » 10. April 2014 19:54

Hello - is this fix compatible with Xampp version 1.8.1 ? I tried it, but after applied fix, it´s not possible to start apache :( Thanks for info.
net.work
 
Posts: 6
Joined: 19. January 2014 21:53
Operating System: Windows

Re: Xampp openSSL 1.0.1 critical bug

Postby Beltran » 12. April 2014 09:14

XAMPP 1.8.1 for Windows is NOT AFFECTED by this issue. This fix is only for 1.8.3 versions on Windows, previous versions are not affected.
User avatar
Beltran
Power-User
 
Posts: 108
Joined: 22. March 2013 12:29
Operating System: Windows, Linux, OS X

Re: Xampp openSSL 1.0.1 critical bug

Postby jjmil03 » 28. April 2014 16:10

XAMPP 1.8.1 is affected, as it runs OpenSSL 1.0.1c. I am having the same issue, it will not start after I replace the DLL files. Would they need to be registered or something? Please help.
jjmil03
 
Posts: 2
Joined: 28. April 2014 16:06
Operating System: Windows Server 2008 R2

Re: Xampp openSSL 1.0.1 critical bug

Postby orware » 29. April 2014 18:56

Hi Beltran,

I also have version 1.8.1 installed and went through your posted instructions with the patched files on a Windows Server 2008 R2 machine I have XAMPP installed on and wasn't able to start Apache up after copying the files over.

Replacing the files with my backed up ones allowed Apache to restart OK again.

I'd be happy to upgrade XAMPP normally if it was just a development workstation, but in this case I am actually using XAMPP as a proxy with Tomcat and SSL setup so I would rather avoid having to do that setup work again if I can, since I remember it took a while.
orware
 
Posts: 4
Joined: 01. July 2008 18:22

Re: Xampp openSSL 1.0.1 critical bug

Postby tfbarrett1981 » 05. May 2014 13:34

I patched the files according the the directions on this page https://www.apachefriends.org/blog/heartbleed-bug.html

But when I try to start Apache it will not start.

I am using Windows Server 2012.

Any ideas?
tfbarrett1981
 
Posts: 2
Joined: 05. May 2014 12:48
Operating System: Windows Server 2012

Re: Xampp openSSL 1.0.1 critical bug

Postby tfbarrett1981 » 05. May 2014 14:11

Solved my own problems with some googling.

If after you patch the install Apache wont start run "openssl -version -a" command to get the version and see the following message:
"The Program can't start because MSVCR110.dll is missing from your computer. Try reinstalling the program to fix this problem."

You can download and install the C++ redistributable installer for Visual Studio 2012 from Microsoft. You can to install the "32 bit" version
http://www.microsoft.com/en-us/download/details.aspx?id=30679
and select the "vcredist_x86.exe" installer.
tfbarrett1981
 
Posts: 2
Joined: 05. May 2014 12:48
Operating System: Windows Server 2012

Re: Xampp openSSL 1.0.1 critical bug

Postby orware » 05. May 2014 17:24

tfbarrett1981 wrote:Solved my own problems with some googling.

If after you patch the install Apache wont start run "openssl -version -a" command to get the version and see the following message:
"The Program can't start because MSVCR110.dll is missing from your computer. Try reinstalling the program to fix this problem."

You can download and install the C++ redistributable installer for Visual Studio 2012 from Microsoft. You can to install the "32 bit" version
http://www.microsoft.com/en-us/download/details.aspx?id=30679
and select the "vcredist_x86.exe" installer.


Thanks tfbarrett1981! Installing the x86 redistributable and then running through the procedure one more time worked perfectly!
orware
 
Posts: 4
Joined: 01. July 2008 18:22


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 57 guests