Thanks for your reply, that clears up just about everything. I got the link directly from the Bugzilla bug where this issue was reported, by the way.
Scott -----Original Message----- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Tuesday, April 15, 2014 3:03 PM To: Tomcat Users List Subject: Re: Which tcnative to replace for Heartbleed? 2014-04-16 0:46 GMT+04:00 Scott Johnson <sjohn...@dag.com>: > I deploy Tomcat 7 in both 64 and 32 bit environments. When I > deploy/upgrade, I download Tomcat from this page: > http://tomcat.apache.org/download-70.cgi, > downloading both the 32-bit Windows and 64-bit Windows zip files. > > > > I would like to make sure that my Tomcat deployments are secure from > the OpenSSL Heartbleed bug, and my understanding is that I simply need > to replace tcnative-1.dll in my download with one from this page: > http://apache.org/dist/tomcat/tomcat-connectors/native/1.1.30/binaries/. Where did you get that link? A policy is that we do not advertise direct links to the ASF server, but suggest using the mirrors. http://tomcat.apache.org/download-native.cgi -> "You may download them from HERE" (a link) Though the ASF server contains the MD% and ASC files. (Those are not mirrored). > But > which one? I assume I don't need OCSP-do I? Yes, that is correct. > But then in the download there > are 3 different versions, one at the top level, one in i64 and one in x64. > Can I assume that the top level one is 32 bit and the x64 one is 64 bit? Yes, that is correct. > Of course, it would be useful if there were simply a new release of > Tomcat, or a readily available guide for current users on how to > protect ourselves from this issue. Knowing whether an updated > Heartbleed-free version of Windows Tomcat was coming in the next few > days would resolve this issue as well. A work is going, but that will take some time. There are still bugs that need fixing before cutting a release. The release vote itself will take 3 days (72h). A guide is on the wiki, http://wiki.apache.org/tomcat/Security/Heartbleed Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org