2014-04-16 0:46 GMT+04:00 Scott Johnson <sjohn...@dag.com>: > I deploy Tomcat 7 in both 64 and 32 bit environments. When I deploy/upgrade, > I download Tomcat from this page: http://tomcat.apache.org/download-70.cgi, > downloading both the 32-bit Windows and 64-bit Windows zip files. > > > > I would like to make sure that my Tomcat deployments are secure from the > OpenSSL Heartbleed bug, and my understanding is that I simply need to > replace tcnative-1.dll in my download with one from this page: > http://apache.org/dist/tomcat/tomcat-connectors/native/1.1.30/binaries/.
Where did you get that link? A policy is that we do not advertise direct links to the ASF server, but suggest using the mirrors. http://tomcat.apache.org/download-native.cgi -> "You may download them from HERE" (a link) Though the ASF server contains the MD% and ASC files. (Those are not mirrored). > But > which one? I assume I don't need OCSP-do I? Yes, that is correct. > But then in the download there > are 3 different versions, one at the top level, one in i64 and one in x64. > Can I assume that the top level one is 32 bit and the x64 one is 64 bit? Yes, that is correct. > Of course, it would be useful if there were simply a new release of Tomcat, > or a readily available guide for current users on how to protect ourselves > from this issue. Knowing whether an updated Heartbleed-free version of > Windows Tomcat was coming in the next few days would resolve this issue as > well. A work is going, but that will take some time. There are still bugs that need fixing before cutting a release. The release vote itself will take 3 days (72h). A guide is on the wiki, http://wiki.apache.org/tomcat/Security/Heartbleed Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org