> From: Jeffrey Janner [mailto:jeffrey.jan...@polydyne.com] > Sent: Wednesday, June 25, 2014 6:05 PM > To: 'Tomcat Users List' > Subject: CVE-2014-0224 > > Does anyone know of a way to mitigate this vulnerability until the latest > OpenSSL patch can be applied to the Native Libraries? > Perhaps limiting the cipher list to the list of strongest ciphers available > that are supported by the major browsers? > Is there a listing somewhere of the cipher lists supported by those browsers?
Answering my own post after doing a little googling (Google is Your Friend. Trust the Google.) Actually, Redhat is providing the answer: There is no known mitigation for this issue. The only way to fix it is to install updated OpenSSL packages and restart affected services. The vulnerability can only be exploited if both server and client are vulnerable to this issue. In the event that one of the two is vulnerable, there is no risk of exploitation. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
