tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: [VOTE] Release Apache Tomcat Native 1.1.22
Date Mon, 01 Aug 2011 13:06:59 GMT
2011/8/1 Rainer Jung <>:
> - Binaries build against old APR 1.3.12 (recent ist 1.4.5)
>  and OpenSSL 0.9.8r (recent ist 1.0.1d).
>  Is that intentional?

(I think you meant 1.0.0d. That is what the latest version is [1]. )

1. Both other products I use that depend on OpenSSL (Apache HTTPD and
Subversion), are already upgraded to APR 1.4.5 and OpenSSL 1.0.0d in
those builds that I am using.

2. OpenSSL version seems formally OK,  because 0.9.8r and 1.0.0d were
released on the same day and contain the same vulnerability fixes.
Though I would prefer 1.0.0d, because of "1." above.

3. APR version - it is hard to asses but from a quick glance it looks
that 1.4.5 has fix for
(further fixed in ).

Anyway, does not mention 1.3.12 as recommended in any
way. The only legacy version mentioned is 0.9.

APR website security page is lacking [2], it does not mention what
security fixes were there and to what versions they apply - one has to
look into change logs and elsewhere,


Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message