tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: CVE-2014-0160
Date Thu, 10 Apr 2014 08:30:01 GMT
Andrew,

On 4/8/14, 5:43 PM, Andrew Carr wrote:
> http://www.openssl.org/news/secadv_20140407.txt
> 
> Hi Tomcat Devs,
> 
> I have been on the dev list for a few years, and a tomcat developer longer
> than that.  While I haven't contributed yet, I was curious if this cve
> needs a contribution.  As far as I can tell, if you recompile your native
> libs with the unaffected version of SSL, you will not be vulnerable to this
> CVE.
> 
> Is that assumption correct or does there need to be a change to tcnative?

Technically, it's just a re-link, but it makes sense to push-out the
latest 1.1 branch code and call it 1.1.30 to reduce confusion and to get
a few useful features out to the world.

-chris


Mime
View raw message