You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2012/12/21 16:25:49 UTC
svn commit: r1424970 - in /tomcat/site/trunk: docs/security-7.html
xdocs/security-7.xml
Author: markt
Date: Fri Dec 21 15:25:48 2012
New Revision: 1424970
URL: http://svn.apache.org/viewvc?rev=1424970&view=rev
Log:
Update info on CVE-2009-3555 as a fixed version of JSSE is available and Tomcat's NIO connector does implement renegotiation from 7.0.10 onwards.
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-7.xml
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1424970&r1=1424969&r2=1424970&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Fri Dec 21 15:25:48 2012
@@ -1441,14 +1441,21 @@
<p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
- To workaround this until a fix is available in JSSE, use the connector
- attribute <code>allowUnsafeLegacyRenegotiation</code>. It should be set
- to <code>false</code> (the default) to protect against this
- vulnerability.</p>
+ To workaround a vulnerable version of JSSE, use the connector attribute
+ <code>allowUnsafeLegacyRenegotiation</code>. It should be set to
+ <code>false</code> (the default) to protect against this vulnerability.
+ </p>
+
+
+<p>The NIO connector prior to 7.0.10 is not vulnerable as it does not
+ support renegotiation.</p>
-<p>The NIO connector is not vulnerable as it does not support
- renegotiation.</p>
+<p>The NIO connector is vulnerable from version 7.0.10 onwards if the JSSE
+ version used is vulnerable. To workaround a vulnerable version of JSSE,
+ use the connector attribute <code>allowUnsafeLegacyRenegotiation</code>.
+ It should be set to <code>false</code> (the default) to protect against
+ this vulnerability.</p>
<p>The APR/native workarounds are detailed on the
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1424970&r1=1424969&r2=1424970&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Fri Dec 21 15:25:48 2012
@@ -663,13 +663,19 @@
provided by the JVM. The APR/native connector uses OpenSSL.</p>
<p>The BIO connector is vulnerable if the JSSE version used is vulnerable.
- To workaround this until a fix is available in JSSE, use the connector
- attribute <code>allowUnsafeLegacyRenegotiation</code>. It should be set
- to <code>false</code> (the default) to protect against this
- vulnerability.</p>
+ To workaround a vulnerable version of JSSE, use the connector attribute
+ <code>allowUnsafeLegacyRenegotiation</code>. It should be set to
+ <code>false</code> (the default) to protect against this vulnerability.
+ </p>
+
+ <p>The NIO connector prior to 7.0.10 is not vulnerable as it does not
+ support renegotiation.</p>
- <p>The NIO connector is not vulnerable as it does not support
- renegotiation.</p>
+ <p>The NIO connector is vulnerable from version 7.0.10 onwards if the JSSE
+ version used is vulnerable. To workaround a vulnerable version of JSSE,
+ use the connector attribute <code>allowUnsafeLegacyRenegotiation</code>.
+ It should be set to <code>false</code> (the default) to protect against
+ this vulnerability.</p>
<p>The APR/native workarounds are detailed on the
<a href="security-native.html">APR/native connector security page</a>.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org