You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2016/03/02 09:48:19 UTC

OpenSSL vulnerabilities

All,

I'm primarily looking at the window builds for Tomcat Native.
tc-native 1.1.34 was built with OpenSSL 1.0.1q
tc-native 1.2.4 was built with OpenSSL 1.0.2e.

Looking at the latest OpenSSL security vulnerabilities:

CVE-2016-0800: SSLv2 disabled by default. Not an issue.

CVE-2016-0705: Low. Considered rare.

CVE-2016-0798: Feature not used. Not an issue.

CVE-2016-0797: Config data is trusted. Not an issue.

CVE-2016-0799: Feature not used. Not an issue.

CVE-2016-0702: Low. Limited exploit potential.

CVE-2016-0703: Fixed in the versions we used.

CVE-2016-0704: Fixed in the versions we used.

So my reading of this is that folks that deliberately re-enable SSLv2
are going to have issues. But you could argue enabling SSLv2 does that
all on its own. The other two issues are rare/hard to exploit.

I don't see a need to rush out a tc-native release. On the other hand, a
1.2.5 wouldn't hurt and the version numbering reporting looks like a
useful change.

What does everyone think to a tc-native 1.2.5 release followed by 9.0.x
and 8.0.x releases to pick up the new Windows binaries?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: OpenSSL vulnerabilities

Posted by Rainer Jung <ra...@kippdata.de>.

Am 02.03.2016 um 09:48 schrieb Mark Thomas:
> All,
>
> I'm primarily looking at the window builds for Tomcat Native.
> tc-native 1.1.34 was built with OpenSSL 1.0.1q
> tc-native 1.2.4 was built with OpenSSL 1.0.2e.
>
> Looking at the latest OpenSSL security vulnerabilities:
>
> CVE-2016-0800: SSLv2 disabled by default. Not an issue.

And if users ask: tcnative 1.2.4 has it disabled hard, no way to enable. 
1.1.x has it disabled by default (at least in the latest releases of 
each TC branch), but IMHO you could enable using connector config.

> CVE-2016-0705: Low. Considered rare.
>
> CVE-2016-0798: Feature not used. Not an issue.
>
> CVE-2016-0797: Config data is trusted. Not an issue.
>
> CVE-2016-0799: Feature not used. Not an issue.
>
> CVE-2016-0702: Low. Limited exploit potential.
>
> CVE-2016-0703: Fixed in the versions we used.
>
> CVE-2016-0704: Fixed in the versions we used.

Agreed.

> So my reading of this is that folks that deliberately re-enable SSLv2
> are going to have issues. But you could argue enabling SSLv2 does that
> all on its own. The other two issues are rare/hard to exploit.

With 1.2.4 no way to enable.

> I don't see a need to rush out a tc-native release. On the other hand, a
> 1.2.5 wouldn't hurt and the version numbering reporting looks like a
> useful change.
>
> What does everyone think to a tc-native 1.2.5 release followed by 9.0.x
> and 8.0.x releases to pick up the new Windows binaries?

+1

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org