Apache Friends Support Forum

http://heartbleed.com/

How to fix heartbleed openSSL bug in Xampp v1.8.3-3 (openSSL 1.0.1)

1. Test you site:
http://possible.lv/tools/hb/
If have: "Server is vulnerable, please upgrade software ASAP."
2. You need:
Download http://www.apachelounge.com/download/
httpd-2.4.9-win32-VC11.zip and unpack arhive
3. Shutdown Apache service!
4. Copy and replace all files from unpacked arhive "apache24\bin to Your xampp directory disk:\xampp\apache\bin (in xampp folder not need delete any files, just replace!!!)
WARNING Please backup bin directory!!!
5. Start Apache service!
6. Test server again http://possible.lv/tools/hb/
7. Enjoy "Your server appears to be patched against this bug."
+ now update Apache from 2.4.7 to 2.4.9

P.S. After 1-2 days update new from 1.0.1g to 1.0.2 openssl stable (curent 1.0.2 beta)
https://www.openssl.org/news/secadv_20140407.txt

http://sourceforge.net/projects/xampp/files/security/2014-04%20Heartbleed/

We are working on releasing new versions and a fix for this issue. We are going to publish them today.

Hi,

We released new versions of XAMPP that fixes this issue. This release addresses the important OpenSSL Heartbleed security issue. You can download new versions at http://www.apachefriends.org/download.html. We also released patches to fix the OpenSSL Heartbleed issue in previous installations at https://www.apachefriends.org/blog/heartbleed-bug.html.

v1.8.3-4

Updated OpenSSL to 1.0.1g
Updated Apache to 2.4.9
Updated PHP to 5.4.27
phpMyAdmin 4.1.12

v1.8.2-5

Updated OpenSSL to 1.0.1g
Updated Apache to 2.4.9
Updated PHP to 5.5.11
phpMyAdmin 4.1.12

Hello - is this fix compatible with Xampp version 1.8.1 ? I tried it, but after applied fix, it´s not possible to start apache Thanks for info.

XAMPP 1.8.1 for Windows is NOT AFFECTED by this issue. This fix is only for 1.8.3 versions on Windows, previous versions are not affected.

XAMPP 1.8.1 is affected, as it runs OpenSSL 1.0.1c. I am having the same issue, it will not start after I replace the DLL files. Would they need to be registered or something? Please help.

Hi Beltran,

I also have version 1.8.1 installed and went through your posted instructions with the patched files on a Windows Server 2008 R2 machine I have XAMPP installed on and wasn't able to start Apache up after copying the files over.

Replacing the files with my backed up ones allowed Apache to restart OK again.

I'd be happy to upgrade XAMPP normally if it was just a development workstation, but in this case I am actually using XAMPP as a proxy with Tomcat and SSL setup so I would rather avoid having to do that setup work again if I can, since I remember it took a while.

I patched the files according the the directions on this page https://www.apachefriends.org/blog/heartbleed-bug.html

But when I try to start Apache it will not start.

I am using Windows Server 2012.

Any ideas?

Solved my own problems with some googling.

If after you patch the install Apache wont start run "openssl -version -a" command to get the version and see the following message:
"The Program can't start because MSVCR110.dll is missing from your computer. Try reinstalling the program to fix this problem."

You can download and install the C++ redistributable installer for Visual Studio 2012 from Microsoft. You can to install the "32 bit" version
http://www.microsoft.com/en-us/download/details.aspx?id=30679
and select the "vcredist_x86.exe" installer.

tfbarrett1981 wrote:Solved my own problems with some googling.

If after you patch the install Apache wont start run "openssl -version -a" command to get the version and see the following message:
"The Program can't start because MSVCR110.dll is missing from your computer. Try reinstalling the program to fix this problem."

You can download and install the C++ redistributable installer for Visual Studio 2012 from Microsoft. You can to install the "32 bit" version
http://www.microsoft.com/en-us/download/details.aspx?id=30679
and select the "vcredist_x86.exe" installer.

Thanks tfbarrett1981! Installing the x86 redistributable and then running through the procedure one more time worked perfectly!