You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jeffrey Janner <Je...@PolyDyne.com> on 2014/04/09 21:18:34 UTC
Temporary mitigation of Heartbleed?
Much as I loathe downgrading, would it be possible/advisable to downgrade the native libraries to 1.1.23 with Tomcat 7.0.50?
That version is the last to use a pre-1.0.1 version of OpenSSL (1.0.0g).
This could help us at least until we get a blessed version from the APR team?
Jeffrey Janner
Sr. Network Administrator
jeffrey.janner@polydyne.com<ma...@polydyne.com>
PolyDyne Software Inc.
Main: 512.343.9100
Direct: 512.583.8930
[cid:image002.png@01CC0FB7.4FF43CE0]
Speed, Intelligence & Savings in Sourcing
Re: Temporary mitigation of Heartbleed?
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-04-09 23:18 GMT+04:00 Jeffrey Janner <Je...@polydyne.com>:
>
> Much as I loathe downgrading, would it be possible/advisable to downgrade the native libraries to 1.1.23 with Tomcat 7.0.50?
1. There is a minimum required version of TCNative for every Tomcat.
See constants in AprLifecycleListener source.
2. Old versions of OpenSSL have their own security issues.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Temporary mitigation of Heartbleed?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Jeffrey,
On 4/9/14, 1:18 PM, Jeffrey Janner wrote:
> Much as I loathe downgrading, would it be possible/advisable to
> downgrade the native libraries to 1.1.23 with Tomcat 7.0.50?
Check the security and changelog pages?
> That version is the last to use a pre-1.0.1 version of OpenSSL
> (1.0.0g).
I thought that 1.0.0 was also vulnerable. I think you have to go back
to 0.9.8. Don't quote me on that.
> This could help us at least until we get a blessed version from the
> APR team?
I'm sure the vote will be quick. Honestly, I'm already +1 for release
even though it's not yet built. Any bugs in the release will be better
than insecure OpenSSL.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTRli+AAoJEBzwKT+lPKRYj24P/3ZkFPDvVYEIaAErjkNeuEiW
julhkz4hSLSxso5B1ZfN/WaIKvCHwGwB/0flKTFfcCU+HBYqV/3ng7MnDpat8okE
wq4bOcy3HN3gR5Ize+qtIqAsijbydvE4T9Ac8nw2GfvCDSiVf+nKuPxGJswdr9tS
UglJb0iXnPexukz4iX2+wKdZBiooMYvgPupVotZ5koFO6DGlTpb/IlI74OmucvB8
s8BQrZC1gtWg8J/sZhlofE73DWctdIjmPQP0s6gvMh5J5gFeJXJK9I0+qRyFwAgh
a/b9R6cpW/cj6exMZiC4bz0/VjrFU8ltu2tQJq/OXcdtIZ7WGYIVJYrhaSgkt0ml
WVdI2j/I3K7PsWx95rbot9nmrDrJjaQ24yt80tEoWF63VQTJNuQXfLOEZahOJ5Ec
HBesexx/syOSbRhyxk6XJsAZU0XQCnLPLlHnOdhr5PiSSj4U4Y99fFa7aPraXqEx
BoAdV7fJWrnDDnDg3ySdcC+evto4/2BN3gxBsBSTvMl7oRxCg3UXeL8mb0AoNx60
CrU2a7mqKvfvHA3C3VxiFElreqO0uHM9XhaEsx0nXvLEtyq7Jsk/L3Xb92CX/wiu
Kr/pAcPX43irymFkBfwHxPqmt1eUnk58BYw+dNEEzg6qh/pb6ggOuwrHvbiTZftD
y4fcyXekKHAcfXvxk36E
=HJO5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org