Thanks for your reply, that clears up just about everything. I got the link 
directly from the Bugzilla bug where this issue was reported, by the way.

Scott

-----Original Message-----
From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] 
Sent: Tuesday, April 15, 2014 3:03 PM
To: Tomcat Users List
Subject: Re: Which tcnative to replace for Heartbleed?

2014-04-16 0:46 GMT+04:00 Scott Johnson <sjohn...@dag.com>:
> I deploy Tomcat 7 in both 64 and 32 bit environments. When I 
> deploy/upgrade, I download Tomcat from this page: 
> http://tomcat.apache.org/download-70.cgi,
> downloading both the 32-bit Windows and 64-bit Windows zip files.
>
>
>
> I would like to make sure that my Tomcat deployments are secure from 
> the OpenSSL Heartbleed bug, and my understanding is that I simply need 
> to replace tcnative-1.dll in my download with one from this page:
> http://apache.org/dist/tomcat/tomcat-connectors/native/1.1.30/binaries/.

Where did you get that link?
A policy is that we do not advertise direct links to the ASF server, but 
suggest using the mirrors.

http://tomcat.apache.org/download-native.cgi
-> "You may download them from HERE" (a link)

Though the ASF server contains the MD% and ASC files. (Those are not mirrored).

> But
> which one? I assume I don't need OCSP-do I?

Yes, that is correct.

> But then in the download there
> are 3 different versions, one at the top level, one in i64 and one in x64.
> Can I assume that the top level one is 32 bit and the x64 one is 64 bit?

Yes, that is correct.

> Of course, it would be useful if there were simply a new release of 
> Tomcat, or a readily available guide  for current users on how to 
> protect ourselves from this issue. Knowing whether an updated 
> Heartbleed-free version of Windows Tomcat was coming in the next few 
> days would resolve this issue as well.

A work is going, but that will take some time. There are still bugs that need 
fixing before cutting a release. The release vote itself will take 3 days (72h).

A guide is on the wiki,
http://wiki.apache.org/tomcat/Security/Heartbleed

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to