[Bug 57465] Build TC Native with with latest OpenSSL to address CVEs
https://bz.apache.org/bugzilla/show_bug.cgi?id=57465 --- Comment #9 from michael.lit...@nuix.com --- I was able to download tcnative-1.dll version 1.1.33 from http://apache.spinellicreations.com/tomcat/tomcat-connectors/native/1.1.33/ Thanks very much. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57465] Build TC Native with with latest OpenSSL to address CVEs
https://bz.apache.org/bugzilla/show_bug.cgi?id=57465 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #8 from Mark Thomas ma...@apache.org --- Already in-hand. See the dev list for the release vote which is currently in progress. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57465] Build TC Native with with latest OpenSSL to address CVEs
https://bz.apache.org/bugzilla/show_bug.cgi?id=57465 --- Comment #7 from michael.lit...@nuix.com --- I took a look at the steps for building tcnative-1.dll, at http://wiki.apache.org/tomcat/BuildTcNativeWin, and found them to be beyond my skill level. I've asked the vendor of the application I use, Atlassian JIRA (for Windows) to build tcnative-1.dll for me, linked to the latest OpenSSL 1.0.1m and APR. See https://jira.atlassian.com/browse/JRA-38927. But they have never directly responded to any of my comments/requests, and havev yet to make newer builds of tcnative-1.dll available. So, I request that a fresh build of tcnative-1.dll, linked to OpenSSL 1.0.1m and the newest APR, be made and posted up on http://apache.org/dist/tomcat/tomcat-connectors/native/. This would be a great service to users of products such as atlassian JIRA for Windows, who currently lack a way to securely deploy public-facing server instances. Thanks, - Michael -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57465] Build TC Native with with latest OpenSSL to address CVEs
https://issues.apache.org/bugzilla/show_bug.cgi?id=57465 Brett Randall javabr...@gmail.com changed: What|Removed |Added CC||javabr...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57465] Build TC Native with with latest OpenSSL to address CVEs
https://issues.apache.org/bugzilla/show_bug.cgi?id=57465 --- Comment #2 from brian.m.pick...@gmail.com --- Unless I'm somehow mistaken I believe the following CVEs apply to openssl 1.0.1j and I believe tcnative 1.1.31 is built with 1.0.1j. CVE-2014-3569: 21st October 2014 CVE-2014-8275: 5th January 2015 CVE-2014-3572: 5th January 2015 CVE-2015-0204: 6th January 2015 CVE-2014-3570: 8th January 2015 CVE-2015-0205: 8th January 2015 CVE-2015-0206: 8th January 2015 CVE-2014-3571: 8th January 2015 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57465] Build TC Native with with latest OpenSSL to address CVEs
https://issues.apache.org/bugzilla/show_bug.cgi?id=57465 --- Comment #5 from brian.m.pick...@gmail.com --- (In reply to Mark Thomas from comment #4) Again, which of those do you think apply to tc-native? Just because OpenSSL has a vulnerability that does not mean that tc-native automatically has the vulnerability. I admit most of those CVEs effect the ssl3_get_key_exchange function, which I believe ssl3 is switched off in tcnative by default and is known to be an insecure protocol. And I do not know if DTLS is a protocol supported by tomcat native. However the reported ability to defeat the certificate blacklist does seems somewhat problematic as reported in CVE-2014-8275. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57465] Build TC Native with with latest OpenSSL to address CVEs
https://issues.apache.org/bugzilla/show_bug.cgi?id=57465 Mark Thomas ma...@apache.org changed: What|Removed |Added OS||All --- Comment #1 from Mark Thomas ma...@apache.org --- Which vulnreability do think think applies to the tc-native binary? I don't see anything in the most recent OpenSSL announcement that would require a new tc-native release. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57465] Build TC Native with with latest OpenSSL to address CVEs
https://issues.apache.org/bugzilla/show_bug.cgi?id=57465 --- Comment #3 from brian.m.pick...@gmail.com --- (In reply to brian.m.pickens from comment #2) Unless I'm somehow mistaken I believe the following CVEs apply to openssl 1.0.1j and I believe tcnative 1.1.31 is built with 1.0.1j. CVE-2014-3569: 21st October 2014 CVE-2014-8275: 5th January 2015 CVE-2014-3572: 5th January 2015 CVE-2015-0204: 6th January 2015 CVE-2014-3570: 8th January 2015 CVE-2015-0205: 8th January 2015 CVE-2015-0206: 8th January 2015 CVE-2014-3571: 8th January 2015 Basically according to these CVEs the specified openssl version is vulnerable to ddos attacks, downgraded key attacks, and removal of forward secrecy attacks, these being the most critical of the rest. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57465] Build TC Native with with latest OpenSSL to address CVEs
https://issues.apache.org/bugzilla/show_bug.cgi?id=57465 --- Comment #4 from Mark Thomas ma...@apache.org --- Again, which of those do you think apply to tc-native? Just because OpenSSL has a vulnerability that does not mean that tc-native automatically has the vulnerability. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57465] Build TC Native with with latest OpenSSL to address CVEs
https://issues.apache.org/bugzilla/show_bug.cgi?id=57465 --- Comment #6 from Mark Thomas ma...@apache.org --- DTLS is not supported by tc-native. Neither was the no-ssl3 buidl option used to produce the Windows binaries. The client issues are also clearly not relevant. That leaves three issues, all of which appear to very unlikely to impact tc-native users. In the unlikely event of folks needing fixes for these issues it isn't that hard to build tc-native now that the build process has been fully documented on the wiki: http://wiki.apache.org/tomcat/BuildTcNativeWin I am therefore minded to close this as WONTFIX, subject to a re-evaluation of that decision if we discover one or more of the 3 remaining issues are more likely that we thought to impact tc-native users. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org