https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #14 from sve...@redseal.net ---
Great, thanks for the update.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: d
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #13 from Chuck Caldarale ---
Releases are normally made during the first week of the month, so not too much
longer to wait.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #12 from sve...@redseal.net ---
We are currently using Tomcat 9.0.98, which has some known vulnerabilities, and
we plan to upgrade.
As of now tomcat version 9.0.103 appears to be the best option for us, as it
eliminates the need for
rmaucher closed pull request #831: [Bug 69607] - MD5 algorithm insecure usage
in tomcat-util
URL: https://github.com/apache/tomcat/pull/831
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
Remy Maucherat changed:
What|Removed |Added
Status|NEEDINFO|RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #10 from sve...@redseal.net ---
We have created the PR as per Christopher's comment:
https://github.com/apache/tomcat/pull/831
--
You are receiving this mail because:
You are the assignee for the bug.
--
ShivamVerma380 opened a new pull request, #831:
URL: https://github.com/apache/tomcat/pull/831
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #9 from Christopher Schultz ---
I would have no problem adding try/catch around those static initializer calls
to init(MD5) and init(SHA1) and just ignore IllegalArgumentException (with a
log).
--
You are receiving this mail becau
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #7 from Christopher Schultz ---
I don't know of a way to reliable check to see if a JSSE provider is in FIPS
mode or not.
--
You are receiving this mail because:
You are the assignee for the bug.
--
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #8 from sve...@redseal.net ---
We have a getWebSocketUpdate() method in
org.apache.tomcat.websocket.server.UpgradeUtil class which causes the issue.
private static String getWebSocketAccept(String key) {
byte[] digest =
Conc
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #6 from Mark Thomas ---
Sorry - keyboard error. Try again.
Just considering options for addressing this. When running in FIPS mode, is the
issue that requesting MD5 triggers an exception from the FIPS provider that
Tomcat doesn't h
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #5 from Mark Thomas ---
Just considering options for addressing this. When running in FIPS mode, is the
issue that re
--
You are receiving this mail because:
You are the assignee for the bug.
--
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #4 from Christopher Schultz ---
It's not as simple as dropping that call. If you drop the call, MD5 cannot be
used at all, even when the environment (later) requests it.
If you want to provide a patch, please ensure that init(MD5)
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #3 from ywei...@redseal.net ---
Yes, that makes sense,
It is really the static init block that is causing us issues. We were actually
just thinking to lazy init the MD5 cache and move it out of the static block.
Would that be OK?
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
Christopher Schultz changed:
What|Removed |Added
Status|NEW |NEEDINFO
--- Comment #2 from Chr
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
--- Comment #1 from Mark Thomas ---
Remove completely, no. Handle gracefully if not available, yes.
That might include deprecating digestMD5() in Tomcat 11 and removing for Tomcat
12 onwards.
Note that MD5 is a required algorithm for Java <=
https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
ywei...@redseal.net changed:
What|Removed |Added
CC||ywei...@redseal.net
--
You are r
17 matches
Mail list logo
