Am 2020-04-22 um 12:34 schrieb Mark Thomas:
Hi all,
You have probably seen this:
OpenSSL - CVE-2020-1967
https://openssl.markmail.org/thread/nuamcatocap7rwrw
I have reviewed the Tomcat Native code and confirmed that we do not call
SSL_check_chain() at any point.
I also looked at the OpenSSL code as I was concerned that we might hit
the same problem via an internal code path. It appears I wasn't the only
one with that concern and the OpenSSL team confirmed that the issue only
occurs when calling SSL_check_chain():
https://openssl.markmail.org/thread/okfaim5oqhh2egj6
Therefore, it is not necessary to roll a new Tomcat Native release to
pick up an updated OpenSSL version for the Windows binaries.
That said, there are a few Tomcat Native fixes since 1.2.23 and it has
been 9 months since the last release. We should have enough time to get
a 1.2.24 release out if we want to.
Thoughts?
This sounds good to me. I'd like to add one more thing: remove dep on
apr_thread_id in ssl_thread_id() because our impl is so elaborate that
using APR here adds no benefit. With this change we can completely
isolate the requirement of APR threading support to pre OpenSSL 1.1.0
usage. But this will be for 1.2.25.
I will work on this little thing this week.
M
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
