Getting a grasp on Heartbleed and IDPs
Ian Young
ian at iay.org.uk
Thu Apr 10 13:42:35 EDT 2014
On 10 Apr 2014, at 18:39, Cantor, Scott <cantor.2 at osu.edu> wrote:
> I don't have any information on the continued relevance of that option,
> but I can definitely say that if you use the APR connector for TLS in
> Tomcat (that's APR, not AJP, two different things), you would be subject
> to the issue if the version of OpenSSL was affected.
Alas, the last comment on this page seems to be an existence proof:
http://security.stackexchange.com/questions/55139/does-the-heartbleed-vulnerability-affect-apache-tomcat-servers-using-tomcat-nati
So just being tomcat-only doesn't necessarily mean you are immune; if you are using APR (and apparently some systems come configured that way by default) then you are vulnerable.
-- Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140410/b86a0fc6/attachment-0001.bin
More information about the users
mailing list