-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeff,
(Strange... to me, your message looked like an attachment to the security notice that would typically be put at the end of a message. When I tried to reply to that, all the characters got all wonky. At least coy-paste still works :) On 8/12/2009 10:51 AM, Jeffrey Janner wrote: > Just to clarify some things: This CVE only applies to the default > SSL connector functionality. It doesn't apply to the APR/OpenSSL > connector. Correct? I would guess not, since APR uses openssl which has its own default set of ciphers. On the other hand, Tomcat could override the default set of ciphers when configuring APR at runtime. I can't seem to find this bug listed in bugzilla for any version of Tomcat, so I can't see which commit fixed it (and whether it included connectors other than Coyote). I also looked at the release notes, but they don't include a changelog. The changelog itself for Tomcat 5.5 does not contain the text "1858". The only thing I can find in the changelog is this note under 5.5.17 which is listed as a fix without a bug number: " Make the default cipher suites available for SSL the same as the set of cipher suites enabled by default rather than the set of all cipher suites. This prevents ciphers suites that do not provide confidentiality protection and/or server authentication being used by default. (markt) " Tomcat 6.0 does not appear to suffer from this vulnerability, and there does not appear to be a changelog for Tomcat 4 (at least not easily accessible from the web site). Fortunately, GI/M/F: http://archive.apache.org/dist/tomcat/tomcat-4/v4.1.40/RELEASE-NOTES-4.1.txt ...though I can't find anything in there :( - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqC3BIACgkQ9CaO5/Lv0PDHsACgrKo9iE3r4dX/8nbbMFH1szRX AvQAni40g61cQnBe4oEmgd51SnICMZ3c =9m0c -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org