tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yosi izaq <>
Subject Re: TLS renegotiation MitM vulnerability. Is it fixed in Tomcat?
Date Sun, 24 Jan 2010 13:12:13 GMT
On Sun, Jan 24, 2010 at 1:36 PM, yosi izaq <> wrote:

> Hi,
> I'm an eng. working on a security product that also uses Tomcat for
> Web-server functionality.
> I'm concerned with the known TLS renegotiation MitM vulnerability.
> I would like to ask whether there's a Tomcat version that contains a fix to
> the issue?- Say by disabling TLS renegotiation by default and adding a
> configuration parameter for enabling it if needed.
> I did some searching on mail traffic and saw some SVN mentions of such a
> possible fix, so I hope that a fix is either planned or already released.
> TIA,
> Yosi Izaq
> Cisco R&D


I've found mention of this record - CVE-2009-3555.
 According to that the BIO fix is made avialable in version 6.0.21. Is that
correct?- Is the fix also available on version 6.0.18?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message