Hi Mark, thanks for your reply. I wrongly assumed that tc-native 1.2 is not compatible with Tomcat 6 and the 1.1 release branch has to be used instead. But I guess I'm wrong and will give it a try.
Thanks again for your help & best regards, Matthias On 22.08.2016 11:26, Mark Thomas wrote: > On 22/08/2016 15:12, Matthias Reischenbacher wrote: >> Hi, >> >> Tomcat 6.0.45 and Tomcat Native 1.1.34 seem to be affected by the >> security issue CVE-2016-2107, see also: >> >> https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/ >> >> According to >> http://tomcat.10.x6.nabble.com/OpenSSL-issues-and-release-plans-td5050269.html >> a fix seems to be available for Tomcat 8/9. But what about Tomcat6? Are >> there plans to release a fixed version of the Tomcat Native libs, that >> contain a newer version of OpenSSL? According to >> https://www.openssl.org/news/vulnerabilities.html#2016-2107 this should >> be 1.0.1t. > As per the e-mail you quoted this was fixed in tc-native 1.2.7. Since > then there has been 1.2.8 so I'd recommend you use that. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
