tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <jfcl...@gmail.com>
Subject Re: [VOTE] Release Apache Tomcat Native 1.1.22
Date Mon, 08 Aug 2011 09:39:01 GMT
On 08/01/2011 03:06 PM, Konstantin Kolinko wrote:
> 2011/8/1 Rainer Jung<rainer.jung@kippdata.de>:
>> - Binaries build against old APR 1.3.12 (recent ist 1.4.5)
>>   and OpenSSL 0.9.8r (recent ist 1.0.1d).
>>   Is that intentional?
>
> (I think you meant 1.0.0d. That is what the latest version is [1]. )
>
> 1. Both other products I use that depend on OpenSSL (Apache HTTPD and
> Subversion), are already upgraded to APR 1.4.5 and OpenSSL 1.0.0d in
> those builds that I am using.
>
> 2. OpenSSL version seems formally OK,  because 0.9.8r and 1.0.0d were
> released on the same day and contain the same vulnerability fixes.
> Though I would prefer 1.0.0d, because of "1." above.
>
> 3. APR version - it is hard to asses but from a quick glance it looks
> that 1.4.5 has fix for
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419
> (further fixed in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1928 ).

We don't use the fnmatch.
But we should upgrade the build at some point (updating the build is 
only a packaging/testing issue in fact).

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message