tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: [VOTE] Release Apache Tomcat Native 1.1.22
Date Mon, 01 Aug 2011 13:06:59 GMT
2011/8/1 Rainer Jung <rainer.jung@kippdata.de>:
> - Binaries build against old APR 1.3.12 (recent ist 1.4.5)
>  and OpenSSL 0.9.8r (recent ist 1.0.1d).
>  Is that intentional?

(I think you meant 1.0.0d. That is what the latest version is [1]. )

1. Both other products I use that depend on OpenSSL (Apache HTTPD and
Subversion), are already upgraded to APR 1.4.5 and OpenSSL 1.0.0d in
those builds that I am using.

2. OpenSSL version seems formally OK,  because 0.9.8r and 1.0.0d were
released on the same day and contain the same vulnerability fixes.
Though I would prefer 1.0.0d, because of "1." above.

3. APR version - it is hard to asses but from a quick glance it looks
that 1.4.5 has fix for
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419
(further fixed in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1928 ).

Anyway, apr.apache.org does not mention 1.3.12 as recommended in any
way. The only legacy version mentioned is 0.9.

APR website security page is lacking [2], it does not mention what
security fixes were there and to what versions they apply - one has to
look into change logs and elsewhere,


[1] http://openssl.org/news/
[2] http://apr.apache.org/security_report.html

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message