https://issues.apache.org/bugzilla/show_bug.cgi?id=57465
--- Comment #3 from brian.m.pick...@gmail.com --- (In reply to brian.m.pickens from comment #2) > Unless I'm somehow mistaken I believe the following CVEs apply to openssl > 1.0.1j and I believe tcnative 1.1.31 is built with 1.0.1j. > > CVE-2014-3569: 21st October 2014 > CVE-2014-8275: 5th January 2015 > CVE-2014-3572: 5th January 2015 > CVE-2015-0204: 6th January 2015 > CVE-2014-3570: 8th January 2015 > CVE-2015-0205: 8th January 2015 > CVE-2015-0206: 8th January 2015 > CVE-2014-3571: 8th January 2015 Basically according to these CVEs the specified openssl version is vulnerable to ddos attacks, downgraded key attacks, and removal of forward secrecy attacks, these being the most critical of the rest. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
