tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: OpenSSL vulnerabilities
Date Wed, 02 Mar 2016 12:18:10 GMT
Am 02.03.2016 um 09:48 schrieb Mark Thomas:
> All,
>
> I'm primarily looking at the window builds for Tomcat Native.
> tc-native 1.1.34 was built with OpenSSL 1.0.1q
> tc-native 1.2.4 was built with OpenSSL 1.0.2e.
>
> Looking at the latest OpenSSL security vulnerabilities:
>
> CVE-2016-0800: SSLv2 disabled by default. Not an issue.

And if users ask: tcnative 1.2.4 has it disabled hard, no way to enable. 
1.1.x has it disabled by default (at least in the latest releases of 
each TC branch), but IMHO you could enable using connector config.

> CVE-2016-0705: Low. Considered rare.
>
> CVE-2016-0798: Feature not used. Not an issue.
>
> CVE-2016-0797: Config data is trusted. Not an issue.
>
> CVE-2016-0799: Feature not used. Not an issue.
>
> CVE-2016-0702: Low. Limited exploit potential.
>
> CVE-2016-0703: Fixed in the versions we used.
>
> CVE-2016-0704: Fixed in the versions we used.

Agreed.

> So my reading of this is that folks that deliberately re-enable SSLv2
> are going to have issues. But you could argue enabling SSLv2 does that
> all on its own. The other two issues are rare/hard to exploit.

With 1.2.4 no way to enable.

> I don't see a need to rush out a tc-native release. On the other hand, a
> 1.2.5 wouldn't hurt and the version numbering reporting looks like a
> useful change.
>
> What does everyone think to a tc-native 1.2.5 release followed by 9.0.x
> and 8.0.x releases to pick up the new Windows binaries?

+1

Rainer


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message