You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Scott Johnson <sj...@dag.com> on 2014/04/15 22:46:09 UTC
Which tcnative to replace for Heartbleed?
I deploy Tomcat 7 in both 64 and 32 bit environments. When I deploy/upgrade,
I download Tomcat from this page: http://tomcat.apache.org/download-70.cgi,
downloading both the 32-bit Windows and 64-bit Windows zip files.
I would like to make sure that my Tomcat deployments are secure from the
OpenSSL Heartbleed bug, and my understanding is that I simply need to
replace tcnative-1.dll in my download with one from this page:
http://apache.org/dist/tomcat/tomcat-connectors/native/1.1.30/binaries/. But
which one? I assume I don't need OCSP-do I? But then in the download there
are 3 different versions, one at the top level, one in i64 and one in x64.
Can I assume that the top level one is 32 bit and the x64 one is 64 bit?
Of course, it would be useful if there were simply a new release of Tomcat,
or a readily available guide for current users on how to protect ourselves
from this issue. Knowing whether an updated Heartbleed-free version of
Windows Tomcat was coming in the next few days would resolve this issue as
well.
Thanks,
Scott
RE: Which tcnative to replace for Heartbleed?
Posted by Scott Johnson <sj...@dag.com>.
Thanks for your reply, that clears up just about everything. I got the link directly from the Bugzilla bug where this issue was reported, by the way.
Scott
-----Original Message-----
From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
Sent: Tuesday, April 15, 2014 3:03 PM
To: Tomcat Users List
Subject: Re: Which tcnative to replace for Heartbleed?
2014-04-16 0:46 GMT+04:00 Scott Johnson <sj...@dag.com>:
> I deploy Tomcat 7 in both 64 and 32 bit environments. When I
> deploy/upgrade, I download Tomcat from this page:
> http://tomcat.apache.org/download-70.cgi,
> downloading both the 32-bit Windows and 64-bit Windows zip files.
>
>
>
> I would like to make sure that my Tomcat deployments are secure from
> the OpenSSL Heartbleed bug, and my understanding is that I simply need
> to replace tcnative-1.dll in my download with one from this page:
> http://apache.org/dist/tomcat/tomcat-connectors/native/1.1.30/binaries/.
Where did you get that link?
A policy is that we do not advertise direct links to the ASF server, but suggest using the mirrors.
http://tomcat.apache.org/download-native.cgi
-> "You may download them from HERE" (a link)
Though the ASF server contains the MD% and ASC files. (Those are not mirrored).
> But
> which one? I assume I don't need OCSP-do I?
Yes, that is correct.
> But then in the download there
> are 3 different versions, one at the top level, one in i64 and one in x64.
> Can I assume that the top level one is 32 bit and the x64 one is 64 bit?
Yes, that is correct.
> Of course, it would be useful if there were simply a new release of
> Tomcat, or a readily available guide for current users on how to
> protect ourselves from this issue. Knowing whether an updated
> Heartbleed-free version of Windows Tomcat was coming in the next few
> days would resolve this issue as well.
A work is going, but that will take some time. There are still bugs that need fixing before cutting a release. The release vote itself will take 3 days (72h).
A guide is on the wiki,
http://wiki.apache.org/tomcat/Security/Heartbleed
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Which tcnative to replace for Heartbleed?
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-04-16 0:46 GMT+04:00 Scott Johnson <sj...@dag.com>:
> I deploy Tomcat 7 in both 64 and 32 bit environments. When I deploy/upgrade,
> I download Tomcat from this page: http://tomcat.apache.org/download-70.cgi,
> downloading both the 32-bit Windows and 64-bit Windows zip files.
>
>
>
> I would like to make sure that my Tomcat deployments are secure from the
> OpenSSL Heartbleed bug, and my understanding is that I simply need to
> replace tcnative-1.dll in my download with one from this page:
> http://apache.org/dist/tomcat/tomcat-connectors/native/1.1.30/binaries/.
Where did you get that link?
A policy is that we do not advertise direct links to the ASF server,
but suggest using the mirrors.
http://tomcat.apache.org/download-native.cgi
-> "You may download them from HERE" (a link)
Though the ASF server contains the MD% and ASC files. (Those are not mirrored).
> But
> which one? I assume I don't need OCSP-do I?
Yes, that is correct.
> But then in the download there
> are 3 different versions, one at the top level, one in i64 and one in x64.
> Can I assume that the top level one is 32 bit and the x64 one is 64 bit?
Yes, that is correct.
> Of course, it would be useful if there were simply a new release of Tomcat,
> or a readily available guide for current users on how to protect ourselves
> from this issue. Knowing whether an updated Heartbleed-free version of
> Windows Tomcat was coming in the next few days would resolve this issue as
> well.
A work is going, but that will take some time. There are still bugs
that need fixing before cutting a release. The release vote itself
will take 3 days (72h).
A guide is on the wiki,
http://wiki.apache.org/tomcat/Security/Heartbleed
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org