svn commit: r1587268 - in /tomcat/site/trunk: docs/security-native.html xdocs/security-native.xml

Mon, 14 Apr 2014 11:15:07 -0700 

Author: schultz
Date: Mon Apr 14 18:13:39 2014
New Revision: 1587268

URL: http://svn.apache.org/r1587268
Log:
Added security statement regarding CVE-2014-0160 (aka OpenSSL Heartbleed). 

Modified:
    tomcat/site/trunk/docs/security-native.html
    tomcat/site/trunk/xdocs/security-native.xml

Modified: tomcat/site/trunk/docs/security-native.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-native.html?rev=1587268&r1=1587267&r2=1587268&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-native.html (original)
+++ tomcat/site/trunk/docs/security-native.html Mon Apr 14 18:13:39 2014
@@ -261,6 +261,30 @@
        vary with both application and client. In some circumstances disabling
        renegotiation may result in some clients being unable to access the
        application.</p>
+
+    
+<p>
+<strong>Important: Remote Memory Read</strong>
+       <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160"; 
rel="nofollow">CVE-2014-0160</a> (a.k.a. "Heartbleed")</p>
+
+    
+<p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+        can allow an unauthenticated remote user to read certain contents of
+        the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
+        include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
+        ship with patched versions of OpenSSL.</p>
+
+    
+<p>An explanation of how to deterine whether you are vulnerable and what
+        steps to take, see the Tomcat Wiki's
+        <a 
href="https://wiki.apache.org/tomcat/Security/Heartbleed";>Heartbleed</a>
+        page.</p>
+
+    
+<p>This issue was first announced on 7 April 2014.</p>
+
+    
+<p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
   
 </div>
 </div>

Modified: tomcat/site/trunk/xdocs/security-native.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-native.xml?rev=1587268&r1=1587267&r2=1587268&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-native.xml (original)
+++ tomcat/site/trunk/xdocs/security-native.xml Mon Apr 14 18:13:39 2014
@@ -54,8 +54,25 @@
        vary with both application and client. In some circumstances disabling
        renegotiation may result in some clients being unable to access the
        application.</p>
-  </section>
 
+    <p><strong>Important: Remote Memory Read</strong>
+       <cve>CVE-2014-0160</cve> (a.k.a. "Heartbleed")</p>
+
+    <p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+        can allow an unauthenticated remote user to read certain contents of
+        the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
+        include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
+        ship with patched versions of OpenSSL.</p>
+
+    <p>An explanation of how to deterine whether you are vulnerable and what
+        steps to take, see the Tomcat Wiki's
+        <a 
href="https://wiki.apache.org/tomcat/Security/Heartbleed";>Heartbleed</a>
+        page.</p>
+
+    <p>This issue was first announced on 7 April 2014.</p>
+
+    <p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
+  </section>
 </body>
 </document>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to