2011/8/1 Rainer Jung <rainer.j...@kippdata.de>: > - Binaries build against old APR 1.3.12 (recent ist 1.4.5) > and OpenSSL 0.9.8r (recent ist 1.0.1d). > Is that intentional?
(I think you meant 1.0.0d. That is what the latest version is [1]. ) 1. Both other products I use that depend on OpenSSL (Apache HTTPD and Subversion), are already upgraded to APR 1.4.5 and OpenSSL 1.0.0d in those builds that I am using. 2. OpenSSL version seems formally OK, because 0.9.8r and 1.0.0d were released on the same day and contain the same vulnerability fixes. Though I would prefer 1.0.0d, because of "1." above. 3. APR version - it is hard to asses but from a quick glance it looks that 1.4.5 has fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419 (further fixed in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1928 ). Anyway, apr.apache.org does not mention 1.3.12 as recommended in any way. The only legacy version mentioned is 0.9. APR website security page is lacking [2], it does not mention what security fixes were there and to what versions they apply - one has to look into change logs and elsewhere, [1] http://openssl.org/news/ [2] http://apr.apache.org/security_report.html Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
