Hi, I'd suppose that the OpenSSL version used by APR depends on the OpenSSL version provided by the underlying OS too. Additionally that yet doesn't say anything about the hearbleed vulnerability cause OpenSSL could have been deactivated by the corresponding compile flag (-DOPENSSL_NO_HEARTBEATS ).
The above statement concerning [1] only applies to Windows where each app usually ships its own version of OpenSSL as a dependency. As you can see in certain situations this has a major drawback cause now each app distributor must provide a support statement that certifies that the bundled OpenSSL version isn't vulnerable or has been updated. That's one reason why I opted for a TomEE Linux package that doesn't redestribute each and every dependency but re-uses those provided by the OS already :) [1] http://people.apache.org/~mturk/native/1.1.30/ Cheers Daniel Cheers Daniel On Fri, Apr 11, 2014 at 5:03 PM, frapien <[email protected]> wrote: > Apache Tomcat Native library 1.1.30 using APR version 1.4.8 using OpenSSL > 1.0.1g you can use from ... > > http://people.apache.org/~mturk/native/1.1.30/ > > > > -- > View this message in context: > http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702p4668722.html > Sent from the OpenEJB Dev mailing list archive at Nabble.com. >
