Hi, On Wed, Apr 22, 2020 at 1:34 PM Mark Thomas <ma...@apache.org> wrote:
> Hi all, > > You have probably seen this: > OpenSSL - CVE-2020-1967 > https://openssl.markmail.org/thread/nuamcatocap7rwrw > > I have reviewed the Tomcat Native code and confirmed that we do not call > SSL_check_chain() at any point. > > I also looked at the OpenSSL code as I was concerned that we might hit > the same problem via an internal code path. It appears I wasn't the only > one with that concern and the OpenSSL team confirmed that the issue only > occurs when calling SSL_check_chain(): > https://openssl.markmail.org/thread/okfaim5oqhh2egj6 > > Therefore, it is not necessary to roll a new Tomcat Native release to > pick up an updated OpenSSL version for the Windows binaries. > > That said, there are a few Tomcat Native fixes since 1.2.23 and it has > been 9 months since the last release. We should have enough time to get > a 1.2.24 release out if we want to. > > Thoughts? > +1 I use a build from master branch for my testing application and I didn't have any problems with it! Regards, Martin > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >