Hi, fair points. I got this report from 2 separate sources. The one I know for a fact comes from Nessus. The second I don't know if it is also from Nessus or some other tool (I will try to find out and let you know). I understand what you are saying about upgrade, and I will see if I can do that, but I believe that this will just gain time not solve the problem. The affected code (which is part of my original mail from org.apache.tomcat.util.net.jsse.JSSESocketFactory) is the same in all later versions of Tomcat as well.
________________________________ From: André Warnier <a...@ice-sa.com> To: Tomcat Users List <users@tomcat.apache.org> Sent: Monday, November 26, 2012 11:41 PM Subject: Re: Tomcat ssl vulnerability CVE-2009-3555 Hermes Flying wrote: > Just to be clear. When I say report, I mean a report from a security > penetration test suite which reports that the server allows renegotiation > > > > > ________________________________ > From: Hermes Flying <flyingher...@yahoo.com> > To: "users@tomcat.apache.org" <users@tomcat.apache.org> Sent: Monday, > November 26, 2012 10:36 PM > Subject: Tomcat ssl vulnerability CVE-2009-3555 > Hi, > I am running Tomcat 5.35 and I got a report that it is vulnerable to SSL > client renegotiation DoS. Hi. I believe that Tomcat 5.35 does not exist. You probably mean 5.5.35. You may first want to have a look at this page : http://tomcat.apache.org/tomcat-55-eol.html To comment on your request for help, and without getting into the technical details : You do not specify which "security penetration test suite" was used to get this result. Such tools are known to generate false positives from time to time, and naming the tool may trigger someone's memory. Tomcat is free software, developed, maintained and supported by volunteers. As is human and logical, they like to dedicate more of their time to recent and current versions of Tomcat, rather than old ones, particularly after their end of life has been reached. That may be considered as a reasonable trade-off for being able to use software that is free of charge. To your own benefit thus : you would probably have a much better chance of getting attention and help for such an issue, if you installed a recent version of Tomcat, and confirmed with the same tool that you are getting the same result (or not) (rather than "supposing" that you would.) (have you tried to upgrade at least to v 5.5.36 (which is the "most current" release of that same branch), and checked if the same issue exists ?) If you then do *not* see the same issue, there is a reasonable chance that the recommendation that will be made, is to upgrade Tomcat to this more recent version. Or else, you will have to provide reasonable motives for which you cannot do that. But if you *do* see the same issue with a very recent version, then it is almost guaranteed that you will get immediate attention. All that does not mean that there will not be someone on this list that is willing to dedicate time to your issue, but you may be willing to increase your chances anyway. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
