> -----Original Message-----
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Wednesday, April 09, 2014 12:25 AM
> To: Tomcat Users List
> Subject: Re: Does the HeartBleed vulnerability affect Apache Tomcat
> servers using Tomcat Native?
>
>
> Arlo,
>
> On 4/8/14, 5:36 PM, Arlo White wrote:
> > After updating OpenSSL I simply restarted Tomcat to eliminate the
> > vulnerability.
>
> - -1
>
> You must re-key your server, and get a new cert from your CA. You have
> stopped the bleeding but your key should still be considered
> compromised.
>
> > (Checked http://filippo.io/Heartbleed before and after) I built APR
> > and Tomcat Native from source on the server, so I assume it's doing
> > dynamic library loading.
> >
> > Is the binary build staticly linked? Otherwise, I'm not sure it's
> > necessary to redo the builds.
>
> The ASF only provides binaries for win32, and yes, they are statically-
> linked. Users without the expertise to build their own tcnative binary
> will have to wait for the tcnative team to roll a new release.
>
> - -chris
Just to clarify what Chris is saying, ASF provides statically-linked binaries
for Windows in zip files with the string "win32" in the name. The zip file
actually contains versions for both x86 and x64 versions of Windows.
And yes, some of us don't have the expertise and/or tools to build the library
ourselves under Windows.
Jeff
