All, I'm primarily looking at the window builds for Tomcat Native. tc-native 1.1.34 was built with OpenSSL 1.0.1q tc-native 1.2.4 was built with OpenSSL 1.0.2e.
Looking at the latest OpenSSL security vulnerabilities: CVE-2016-0800: SSLv2 disabled by default. Not an issue. CVE-2016-0705: Low. Considered rare. CVE-2016-0798: Feature not used. Not an issue. CVE-2016-0797: Config data is trusted. Not an issue. CVE-2016-0799: Feature not used. Not an issue. CVE-2016-0702: Low. Limited exploit potential. CVE-2016-0703: Fixed in the versions we used. CVE-2016-0704: Fixed in the versions we used. So my reading of this is that folks that deliberately re-enable SSLv2 are going to have issues. But you could argue enabling SSLv2 does that all on its own. The other two issues are rare/hard to exploit. I don't see a need to rush out a tc-native release. On the other hand, a 1.2.5 wouldn't hurt and the version numbering reporting looks like a useful change. What does everyone think to a tc-native 1.2.5 release followed by 9.0.x and 8.0.x releases to pick up the new Windows binaries? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
