-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jeffrey,
On 4/9/14, 1:18 PM, Jeffrey Janner wrote: > Much as I loathe downgrading, would it be possible/advisable to > downgrade the native libraries to 1.1.23 with Tomcat 7.0.50? Check the security and changelog pages? > That version is the last to use a pre-1.0.1 version of OpenSSL > (1.0.0g). I thought that 1.0.0 was also vulnerable. I think you have to go back to 0.9.8. Don't quote me on that. > This could help us at least until we get a blessed version from the > APR team? I'm sure the vote will be quick. Honestly, I'm already +1 for release even though it's not yet built. Any bugs in the release will be better than insecure OpenSSL. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTRli+AAoJEBzwKT+lPKRYj24P/3ZkFPDvVYEIaAErjkNeuEiW julhkz4hSLSxso5B1ZfN/WaIKvCHwGwB/0flKTFfcCU+HBYqV/3ng7MnDpat8okE wq4bOcy3HN3gR5Ize+qtIqAsijbydvE4T9Ac8nw2GfvCDSiVf+nKuPxGJswdr9tS UglJb0iXnPexukz4iX2+wKdZBiooMYvgPupVotZ5koFO6DGlTpb/IlI74OmucvB8 s8BQrZC1gtWg8J/sZhlofE73DWctdIjmPQP0s6gvMh5J5gFeJXJK9I0+qRyFwAgh a/b9R6cpW/cj6exMZiC4bz0/VjrFU8ltu2tQJq/OXcdtIZ7WGYIVJYrhaSgkt0ml WVdI2j/I3K7PsWx95rbot9nmrDrJjaQ24yt80tEoWF63VQTJNuQXfLOEZahOJ5Ec HBesexx/syOSbRhyxk6XJsAZU0XQCnLPLlHnOdhr5PiSSj4U4Y99fFa7aPraXqEx BoAdV7fJWrnDDnDg3ySdcC+evto4/2BN3gxBsBSTvMl7oRxCg3UXeL8mb0AoNx60 CrU2a7mqKvfvHA3C3VxiFElreqO0uHM9XhaEsx0nXvLEtyq7Jsk/L3Xb92CX/wiu Kr/pAcPX43irymFkBfwHxPqmt1eUnk58BYw+dNEEzg6qh/pb6ggOuwrHvbiTZftD y4fcyXekKHAcfXvxk36E =HJO5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
