Time for Tomcat Native 1.2.24?

[Mark Thomas <ma...@apache.org>]

Hi all,

You have probably seen this:
OpenSSL - CVE-2020-1967
https://openssl.markmail.org/thread/nuamcatocap7rwrw

I have reviewed the Tomcat Native code and confirmed that we do not call
SSL_check_chain() at any point.

I also looked at the OpenSSL code as I was concerned that we might hit
the same problem via an internal code path. It appears I wasn't the only
one with that concern and the OpenSSL team confirmed that the issue only
occurs when calling SSL_check_chain():
https://openssl.markmail.org/thread/okfaim5oqhh2egj6

Therefore, it is not necessary to roll a new Tomcat Native release to
pick up an updated OpenSSL version for the Windows binaries.

That said, there are a few Tomcat Native fixes since 1.2.23 and it has
been 9 months since the last release. We should have enough time to get
a 1.2.24 release out if we want to.

Thoughts?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Time for Tomcat Native 1.2.24?

[Martin Grigorov <mg...@apache.org>]

Hi,

On Wed, Apr 22, 2020 at 1:34 PM Mark Thomas <ma...@apache.org> wrote:

> Hi all,
>
> You have probably seen this:
> OpenSSL - CVE-2020-1967
> https://openssl.markmail.org/thread/nuamcatocap7rwrw
>
> I have reviewed the Tomcat Native code and confirmed that we do not call
> SSL_check_chain() at any point.
>
> I also looked at the OpenSSL code as I was concerned that we might hit
> the same problem via an internal code path. It appears I wasn't the only
> one with that concern and the OpenSSL team confirmed that the issue only
> occurs when calling SSL_check_chain():
> https://openssl.markmail.org/thread/okfaim5oqhh2egj6
>
> Therefore, it is not necessary to roll a new Tomcat Native release to
> pick up an updated OpenSSL version for the Windows binaries.
>
> That said, there are a few Tomcat Native fixes since 1.2.23 and it has
> been 9 months since the last release. We should have enough time to get
> a 1.2.24 release out if we want to.
>
> Thoughts?
>

+1
I use a build from master branch for my testing application and I didn't
have any problems with it!

Regards,
Martin


>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

Re: Time for Tomcat Native 1.2.24?

[Michael Osipov <mi...@apache.org>]

Am 2020-04-22 um 12:34 schrieb Mark Thomas:
> Hi all,
> 
> You have probably seen this:
> OpenSSL - CVE-2020-1967
> https://openssl.markmail.org/thread/nuamcatocap7rwrw
> 
> I have reviewed the Tomcat Native code and confirmed that we do not call
> SSL_check_chain() at any point.
> 
> I also looked at the OpenSSL code as I was concerned that we might hit
> the same problem via an internal code path. It appears I wasn't the only
> one with that concern and the OpenSSL team confirmed that the issue only
> occurs when calling SSL_check_chain():
> https://openssl.markmail.org/thread/okfaim5oqhh2egj6
> 
> Therefore, it is not necessary to roll a new Tomcat Native release to
> pick up an updated OpenSSL version for the Windows binaries.
> 
> That said, there are a few Tomcat Native fixes since 1.2.23 and it has
> been 9 months since the last release. We should have enough time to get
> a 1.2.24 release out if we want to.
> 
> Thoughts?

This sounds good to me. I'd like to add one more thing: remove dep on 
apr_thread_id in ssl_thread_id() because our impl is so elaborate that 
using APR here adds no benefit. With this change we can completely 
isolate the requirement of APR threading support to pre OpenSSL 1.1.0 
usage. But this will be for 1.2.25.

I will work on this little thing this week.

M

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org