Thanks Daniel for this interesting and accurate answer.
2014-04-11 21:09 GMT+02:00 dsh <[email protected]>: > Hi, > > I'd suppose that the OpenSSL version used by APR depends on the OpenSSL > version provided by the underlying OS too. Additionally that yet doesn't > say anything about the hearbleed vulnerability cause OpenSSL could have > been deactivated by the corresponding compile flag (-DOPENSSL_NO_HEARTBEATS > ). > > The above statement concerning [1] only applies to Windows where each app > usually ships its own version of OpenSSL as a dependency. As you can see in > certain situations this has a major drawback cause now each app distributor > must provide a support statement that certifies that the bundled OpenSSL > version isn't vulnerable or has been updated. > > That's one reason why I opted for a TomEE Linux package that doesn't > redestribute each and every dependency but re-uses those provided by the OS > already :) > > [1] http://people.apache.org/~mturk/native/1.1.30/ > > Cheers > Daniel > > > > Cheers > Daniel > > > On Fri, Apr 11, 2014 at 5:03 PM, frapien <[email protected]> wrote: > > > Apache Tomcat Native library 1.1.30 using APR version 1.4.8 using OpenSSL > > 1.0.1g you can use from ... > > > > http://people.apache.org/~mturk/native/1.1.30/ > > > > > > > > -- > > View this message in context: > > > http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702p4668722.html > > Sent from the OpenEJB Dev mailing list archive at Nabble.com. > > > -- Jean-Louis
