Another perspective on this matter: “Returning to Heartbleed, one thing conspicuously missing from the downshouting against OpenSSL is any pointer to a closed-source implementation that is known to have a lower defect rate over time. This is for the very good reason that no such empirically-better implementation exists." - Eric S Raymond
Cheers Daniel On Mon, Apr 14, 2014 at 7:22 AM, Romain Manni-Bucau <[email protected]>wrote: > Well depend a lot of your config. Even Tomcat 7.0.53 is vulnerable to > heartbleed (fix release in progress with tc native)...but only if you use > native. In summary if you dont use apr you are safe (jsse typically). > Le 13 avr. 2014 23:10, "ihunter" <[email protected]> a écrit : > > > Hi Folks, > > > > Sorry about this - we're having a dose of paranoia regarding HeartBleed. > > > > I *believe* that TomEE 1.6.0 comes with OpenSSL at version 1.0.1c. > > > > I don't know about our old installation Tomcat 6.0.35. > > > > Can someone please give me a definitive answer on what versions are > > involved, and if we need to take any action on this HeartBleed thing. > > > > Many Thanks > > Ian Hunter > > > > > > > > -- > > View this message in context: > > > http://openejb.979440.n4.nabble.com/OpenSSL-Version-and-HeartBleed-tp4668702.html > > Sent from the OpenEJB Dev mailing list archive at Nabble.com. > > >
