You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2021/08/25 08:08:56 UTC
OpenSSL security announcement - do we need a Tomcat Native release?
Hi all,
OpenSSL have published a security announcement alongside the latest release:
https://www.openssl.org/news/secadv/20210824.txt
I'm trying to figure out if Tomcat Native is affected by these.
For CVE-2021-3711 it isn't clear to me if the issue relates to just
stand-alone decryption or if any use of SM2 - including in a TLS cipher
- is affected.
For CVE-2021-3712 I can't find any references in the Tomcat Native code
to any of the functions named as potential ways to construct an
ASN1_STRING without the NUL terminators.
Can anyone shed more light on CVE-2021-3711? We do have one fix related
to building with OpenSSL 3.0.0 so it might be simpler to just do a
release anyway.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: OpenSSL security announcement - do we need a Tomcat Native
release?
Posted by Mark Thomas <ma...@apache.org>.
On 25/08/2021 09:08, Mark Thomas wrote:
> Hi all,
>
> OpenSSL have published a security announcement alongside the latest
> release:
>
> https://www.openssl.org/news/secadv/20210824.txt
>
> I'm trying to figure out if Tomcat Native is affected by these.
>
> For CVE-2021-3711 it isn't clear to me if the issue relates to just
> stand-alone decryption or if any use of SM2 - including in a TLS cipher
> - is affected.
>
> For CVE-2021-3712 I can't find any references in the Tomcat Native code
> to any of the functions named as potential ways to construct an
> ASN1_STRING without the NUL terminators.
>
>
> Can anyone shed more light on CVE-2021-3711? We do have one fix related
> to building with OpenSSL 3.0.0 so it might be simpler to just do a
> release anyway.
>
> Thoughts?
Give there have been no further comments on this, I am going to go ahead
and tag 1.2.31 with a view to using that for the September release round
for 10.1.x etc.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org