Hi, Tomcat 6.0.45 and Tomcat Native 1.1.34 seem to be affected by the security issue CVE-2016-2107, see also:
https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/ According to http://tomcat.10.x6.nabble.com/OpenSSL-issues-and-release-plans-td5050269.html a fix seems to be available for Tomcat 8/9. But what about Tomcat6? Are there plans to release a fixed version of the Tomcat Native libs, that contain a newer version of OpenSSL? According to https://www.openssl.org/news/vulnerabilities.html#2016-2107 this should be 1.0.1t. Thanks & Best regards, Matthias Reischenbacher --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
