Re: Time for Tomcat Native 1.2.24?
Am 2020-04-22 um 12:34 schrieb Mark Thomas: Hi all, You have probably seen this: OpenSSL - CVE-2020-1967 https://openssl.markmail.org/thread/nuamcatocap7rwrw I have reviewed the Tomcat Native code and confirmed that we do not call SSL_check_chain() at any point. I also looked at the OpenSSL code as I was concerned that we might hit the same problem via an internal code path. It appears I wasn't the only one with that concern and the OpenSSL team confirmed that the issue only occurs when calling SSL_check_chain(): https://openssl.markmail.org/thread/okfaim5oqhh2egj6 Therefore, it is not necessary to roll a new Tomcat Native release to pick up an updated OpenSSL version for the Windows binaries. That said, there are a few Tomcat Native fixes since 1.2.23 and it has been 9 months since the last release. We should have enough time to get a 1.2.24 release out if we want to. Thoughts? This sounds good to me. I'd like to add one more thing: remove dep on apr_thread_id in ssl_thread_id() because our impl is so elaborate that using APR here adds no benefit. With this change we can completely isolate the requirement of APR threading support to pre OpenSSL 1.1.0 usage. But this will be for 1.2.25. I will work on this little thing this week. M - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Time for Tomcat Native 1.2.24?
Hi, On Wed, Apr 22, 2020 at 1:34 PM Mark Thomas wrote: > Hi all, > > You have probably seen this: > OpenSSL - CVE-2020-1967 > https://openssl.markmail.org/thread/nuamcatocap7rwrw > > I have reviewed the Tomcat Native code and confirmed that we do not call > SSL_check_chain() at any point. > > I also looked at the OpenSSL code as I was concerned that we might hit > the same problem via an internal code path. It appears I wasn't the only > one with that concern and the OpenSSL team confirmed that the issue only > occurs when calling SSL_check_chain(): > https://openssl.markmail.org/thread/okfaim5oqhh2egj6 > > Therefore, it is not necessary to roll a new Tomcat Native release to > pick up an updated OpenSSL version for the Windows binaries. > > That said, there are a few Tomcat Native fixes since 1.2.23 and it has > been 9 months since the last release. We should have enough time to get > a 1.2.24 release out if we want to. > > Thoughts? > +1 I use a build from master branch for my testing application and I didn't have any problems with it! Regards, Martin > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Time for Tomcat Native 1.2.24?
Hi all, You have probably seen this: OpenSSL - CVE-2020-1967 https://openssl.markmail.org/thread/nuamcatocap7rwrw I have reviewed the Tomcat Native code and confirmed that we do not call SSL_check_chain() at any point. I also looked at the OpenSSL code as I was concerned that we might hit the same problem via an internal code path. It appears I wasn't the only one with that concern and the OpenSSL team confirmed that the issue only occurs when calling SSL_check_chain(): https://openssl.markmail.org/thread/okfaim5oqhh2egj6 Therefore, it is not necessary to roll a new Tomcat Native release to pick up an updated OpenSSL version for the Windows binaries. That said, there are a few Tomcat Native fixes since 1.2.23 and it has been 9 months since the last release. We should have enough time to get a 1.2.24 release out if we want to. Thoughts? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org