You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ofbiz.apache.org by Nicolas Malin <ni...@nereide.fr> on 2014/11/16 22:38:46 UTC

Poodle vulnerability and stable branches 12.04

Hi,

With the poodle vulnerability, the branch 12.04 migrated to java 1.7 
from the svn revision 1639986. For more information and to understand 
the reason you can see https://issues.apache.org/jira/browse/OFBIZ-5848.

You will need to upgrade your jvm from 1.6 to 1.7 on your local 
environment if you follow the branch 12.04.

If you use Apache OFBiz 12.04.05, you may be concerned only if you use 
the https connector of the embed tomcat. In this case, you can follow 
this process :
  * update your jvm to 1.7
  * change your tomcat ssl protocol to TLSv2 in your ofbiz-container.xml 
like :
       <property name="sslProtocol" value="TLSv2"/>
       <property name="protocols" value="TLSv2"/>
  * apply the patch 
https://issues.apache.org/jira/secure/attachment/12681409/OFBIZ-5848-java17-12.04.patch
  * compile
  * Have fun !

If you detect any error, please let me know.

Nicolas

Re: Poodle vulnerability and stable branches 12.04

Posted by Nicolas Malin <ni...@nereide.fr>.

Le 16/11/2014 23:51, Jacques Le Roux a écrit :
> Apache OFBiz 12.04.* older releases (than 12.04.05) 
Yes you right :)
Just a little problem ... I'm not sure that my patch works on older 
releases.

I will checking after the ApacheconEU

Nicolas

Re: Poodle vulnerability and stable branches 12.04

Posted by Jacques Le Roux <ja...@les7arts.com>.

Thanks Nicolas!

The same applies to Apache OFBiz 13.07.01 and of course, Apache OFBiz 12.04.* older releases (than 12.04.05)

Again: only mandatory if you use the HTTPS connector (like with Nginx as Front or with a direct access to the embedded Tomcat). Always better to 
update anyway

Jacques

Le 16/11/2014 22:38, Nicolas Malin a écrit :
> Hi,
>
> With the poodle vulnerability, the branch 12.04 migrated to java 1.7 from the svn revision 1639986. For more information and to understand the 
> reason you can see https://issues.apache.org/jira/browse/OFBIZ-5848.
>
> You will need to upgrade your jvm from 1.6 to 1.7 on your local environment if you follow the branch 12.04.
>
> If you use Apache OFBiz 12.04.05, you may be concerned only if you use the https connector of the embed tomcat. In this case, you can follow this 
> process :
>  * update your jvm to 1.7
>  * change your tomcat ssl protocol to TLSv2 in your ofbiz-container.xml like :
>       <property name="sslProtocol" value="TLSv2"/>
>       <property name="protocols" value="TLSv2"/>
>  * apply the patch https://issues.apache.org/jira/secure/attachment/12681409/OFBIZ-5848-java17-12.04.patch
>  * compile
>  * Have fun !
>
> If you detect any error, please let me know.
>
> Nicolas
>