Re: Tomcat ssl vulnerability CVE-2009-3555

Mon, 26 Nov 2012 13:41:56 -0800 

Hermes Flying wrote:

Just to be clear. When I say report,  I mean a report from a security 
penetration test suite which reports that the server allows renegotiation




________________________________
 From: Hermes Flying <flyingher...@yahoo.com>
To: "users@tomcat.apache.org" <users@tomcat.apache.org> Sent: Monday, November 26, 2012 10:36 PM 
Subject: Tomcat ssl vulnerability CVE-2009-3555
Hi, I am running Tomcat 5.35 and I got a report that it is vulnerable to SSL client renegotiation DoS. 

Hi.

I believe that Tomcat 5.35 does not exist. You probably mean 5.5.35.

You may first want to have a look at this page : 
http://tomcat.apache.org/tomcat-55-eol.html

To comment on your request for help, and without getting into the technical 
details :
You do not specify which "security penetration test suite" was used to get this result. Such tools are known to generate false positives from time to time, and naming the tool may trigger someone's memory.
Tomcat is free software, developed, maintained and supported by volunteers. As is human and logical, they like to dedicate more of their time to recent and current versions of Tomcat, rather than old ones, particularly after their end of life has been reached. That may be considered as a reasonable trade-off for being able to use software that is free of charge.
To your own benefit thus : you would probably have a much better chance of getting attention and help for such an issue, if you installed a recent version of Tomcat, and confirmed with the same tool that you are getting the same result (or not) 
(rather than "supposing" that you would.)
(have you tried to upgrade at least to v 5.5.36 (which is the "most current" release of that same branch), and checked if the same issue exists ?)
If you then do *not* see the same issue, there is a reasonable chance that the recommendation that will be made, is to upgrade Tomcat to this more recent version. 
Or else, you will have to provide reasonable motives for which you cannot do 
that.
But if you *do* see the same issue with a very recent version, then it is almost guaranteed that you will get immediate attention.
All that does not mean that there will not be someone on this list that is willing to dedicate time to your issue, but you may be willing to increase your chances anyway. 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to