Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "Security/Heartbleed" page has been changed by ChristopherSchultz: https://wiki.apache.org/tomcat/Security/Heartbleed?action=diff&rev1=3&rev2=4 == Am I Vulnerable? == - If you are running any server that uses OpenSSL version 1.0.1 with any patch level before “g” you may be vulnerable. Unless you happened to install OpenSSL 1.0.1 for the first time after 2014-04-08 or so, you are almost certainly vulnerable. If you are running OpenSSL 0.9.8 or 1.0.0, then you are not vulnerable to this particular vulnerability. If you are using Tomcat with any Java connector (BIO or NIO), then you are not vulnerable to this particular vulnerability. + If you are running any server that uses OpenSSL version 1.0.1 with any patch level before “g” you may be vulnerable. Unless you happened to install OpenSSL 1.0.1 for the *first* time after 2014-04-08 or so, you are almost certainly vulnerable. If you are running an ASF-provided tcnative binary version 1.1.24-1.1.29, then you are vulnerable, as tcnative ships with a statically-linked OpenSSL version which is vulnerable. If you are running OpenSSL 0.9.8 or 1.0.0, then you are not vulnerable to this particular vulnerability. If you are using Tomcat with any Java connector (BIO or NIO), then you are not vulnerable to this particular vulnerability. == How do I fix my servers? == This is an easy 2-step process: - 1. Update OpenSSL to a version that includes the fix. The natural version number for this is 1.0.1g, though some package maintainers have chosen to back-port their fixes to versions with a lower patch-level. Among such maintainers are Debian and probably also Debian-based distributions such as Ubuntu. + 1. Update OpenSSL to a version that includes the fix. The natural version number for this is 1.0.1g, though some package maintainers have chosen to back-port their fixes to versions with a lower patch-level. Among such maintainers are Debian and probably also Debian-based distributions such as Ubuntu. tcnative 1.1.30 and later include patched versions of OpenSSL. 1. Re-key your server. This means creating a new RSA or DSA server key, creating a new CSR for your Certificate Authority, and applying for a replacement certificate. All CAs allow for the revocation of a server certificate due to “key compromise” which is exactly the reason for the re-keying of your server. You should be able to obtain a replacement certificate at no charge, though free-certificate providers may charge a fee for revocation/replacement. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
