Author: schultz
Date: Mon Apr 14 18:13:39 2014
New Revision: 1587268
URL: http://svn.apache.org/r1587268
Log:
Added security statement regarding CVE-2014-0160 (aka OpenSSL Heartbleed).
Modified:
tomcat/site/trunk/docs/security-native.html
tomcat/site/trunk/xdocs/security-native.xml
Modified: tomcat/site/trunk/docs/security-native.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-native.html?rev=1587268&r1=1587267&r2=1587268&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-native.html (original)
+++ tomcat/site/trunk/docs/security-native.html Mon Apr 14 18:13:39 2014
@@ -261,6 +261,30 @@
vary with both application and client. In some circumstances disabling
renegotiation may result in some clients being unable to access the
application.</p>
+
+
+<p>
+<strong>Important: Remote Memory Read</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160";
rel="nofollow">CVE-2014-0160</a> (a.k.a. "Heartbleed")</p>
+
+
+<p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+ can allow an unauthenticated remote user to read certain contents of
+ the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
+ include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
+ ship with patched versions of OpenSSL.</p>
+
+
+<p>An explanation of how to deterine whether you are vulnerable and what
+ steps to take, see the Tomcat Wiki's
+ <a
href="https://wiki.apache.org/tomcat/Security/Heartbleed";>Heartbleed</a>
+ page.</p>
+
+
+<p>This issue was first announced on 7 April 2014.</p>
+
+
+<p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
</div>
</div>
Modified: tomcat/site/trunk/xdocs/security-native.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-native.xml?rev=1587268&r1=1587267&r2=1587268&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-native.xml (original)
+++ tomcat/site/trunk/xdocs/security-native.xml Mon Apr 14 18:13:39 2014
@@ -54,8 +54,25 @@
vary with both application and client. In some circumstances disabling
renegotiation may result in some clients being unable to access the
application.</p>
- </section>
+ <p><strong>Important: Remote Memory Read</strong>
+ <cve>CVE-2014-0160</cve> (a.k.a. "Heartbleed")</p>
+
+ <p>A bug in certain versions of <a href="www.openssl.org">OpenSSL</a>
+ can allow an unauthenticated remote user to read certain contents of
+ the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29
+ include this vulnerable version of OpenSSL. tcnative 1.1.30 and later
+ ship with patched versions of OpenSSL.</p>
+
+ <p>An explanation of how to deterine whether you are vulnerable and what
+ steps to take, see the Tomcat Wiki's
+ <a
href="https://wiki.apache.org/tomcat/Security/Heartbleed";>Heartbleed</a>
+ page.</p>
+
+ <p>This issue was first announced on 7 April 2014.</p>
+
+ <p>Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29</p>
+ </section>
</body>
</document>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
