Hi all,
OpenSSL have published a security announcement alongside the latest release:
https://www.openssl.org/news/secadv/20210824.txt
I'm trying to figure out if Tomcat Native is affected by these.
For CVE-2021-3711 it isn't clear to me if the issue relates to just
stand-alone decryption or if any use of SM2 - including in a TLS cipher
- is affected.
For CVE-2021-3712 I can't find any references in the Tomcat Native code
to any of the functions named as potential ways to construct an
ASN1_STRING without the NUL terminators.
Can anyone shed more light on CVE-2021-3711? We do have one fix related
to building with OpenSSL 3.0.0 so it might be simpler to just do a
release anyway.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
