On 22/08/2016 15:12, Matthias Reischenbacher wrote: > Hi, > > Tomcat 6.0.45 and Tomcat Native 1.1.34 seem to be affected by the > security issue CVE-2016-2107, see also: > > https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/ > > According to > http://tomcat.10.x6.nabble.com/OpenSSL-issues-and-release-plans-td5050269.html > a fix seems to be available for Tomcat 8/9. But what about Tomcat6? Are > there plans to release a fixed version of the Tomcat Native libs, that > contain a newer version of OpenSSL? According to > https://www.openssl.org/news/vulnerabilities.html#2016-2107 this should > be 1.0.1t.
As per the e-mail you quoted this was fixed in tc-native 1.2.7. Since then there has been 1.2.8 so I'd recommend you use that. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
