Hi all, You have probably seen this: OpenSSL - CVE-2020-1967 https://openssl.markmail.org/thread/nuamcatocap7rwrw
I have reviewed the Tomcat Native code and confirmed that we do not call SSL_check_chain() at any point. I also looked at the OpenSSL code as I was concerned that we might hit the same problem via an internal code path. It appears I wasn't the only one with that concern and the OpenSSL team confirmed that the issue only occurs when calling SSL_check_chain(): https://openssl.markmail.org/thread/okfaim5oqhh2egj6 Therefore, it is not necessary to roll a new Tomcat Native release to pick up an updated OpenSSL version for the Windows binaries. That said, there are a few Tomcat Native fixes since 1.2.23 and it has been 9 months since the last release. We should have enough time to get a 1.2.24 release out if we want to. Thoughts? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
