On 08/01/2011 03:06 PM, Konstantin Kolinko wrote:
2011/8/1 Rainer Jung<rainer.j...@kippdata.de>:
- Binaries build against old APR 1.3.12 (recent ist 1.4.5)
and OpenSSL 0.9.8r (recent ist 1.0.1d).
Is that intentional?
(I think you meant 1.0.0d. That is what the latest version is [1]. )
1. Both other products I use that depend on OpenSSL (Apache HTTPD and
Subversion), are already upgraded to APR 1.4.5 and OpenSSL 1.0.0d in
those builds that I am using.
2. OpenSSL version seems formally OK, because 0.9.8r and 1.0.0d were
released on the same day and contain the same vulnerability fixes.
Though I would prefer 1.0.0d, because of "1." above.
3. APR version - it is hard to asses but from a quick glance it looks
that 1.4.5 has fix for
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419
(further fixed in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1928 ).
We don't use the fnmatch.
But we should upgrade the build at some point (updating the build is
only a packaging/testing issue in fact).
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
