OFBiz OFBiz - User

Poodle vulnerability and stable branches 12.04

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Nicolas Malin-2
Reply | Threaded
Open this post in threaded view
|

Poodle vulnerability and stable branches 12.04

Nicolas Malin-2
Hi,

With the poodle vulnerability, the branch 12.04 migrated to java 1.7
from the svn revision 1639986. For more information and to understand
the reason you can see https://issues.apache.org/jira/browse/OFBIZ-5848.

You will need to upgrade your jvm from 1.6 to 1.7 on your local
environment if you follow the branch 12.04.

If you use Apache OFBiz 12.04.05, you may be concerned only if you use
the https connector of the embed tomcat. In this case, you can follow
this process :
  * update your jvm to 1.7
  * change your tomcat ssl protocol to TLSv2 in your ofbiz-container.xml
like :
       <property name="sslProtocol" value="TLSv2"/>
       <property name="protocols" value="TLSv2"/>
  * apply the patch
https://issues.apache.org/jira/secure/attachment/12681409/OFBIZ-5848-java17-12.04.patch
  * compile
  * Have fun !

If you detect any error, please let me know.

Nicolas
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: Poodle vulnerability and stable branches 12.04

Jacques Le Roux
Administrator
Thanks Nicolas!

The same applies to Apache OFBiz 13.07.01 and of course, Apache OFBiz 12.04.* older releases (than 12.04.05)

Again: only mandatory if you use the HTTPS connector (like with Nginx as Front or with a direct access to the embedded Tomcat). Always better to
update anyway

Jacques

Le 16/11/2014 22:38, Nicolas Malin a écrit :

> Hi,
>
> With the poodle vulnerability, the branch 12.04 migrated to java 1.7 from the svn revision 1639986. For more information and to understand the
> reason you can see https://issues.apache.org/jira/browse/OFBIZ-5848.
>
> You will need to upgrade your jvm from 1.6 to 1.7 on your local environment if you follow the branch 12.04.
>
> If you use Apache OFBiz 12.04.05, you may be concerned only if you use the https connector of the embed tomcat. In this case, you can follow this
> process :
>  * update your jvm to 1.7
>  * change your tomcat ssl protocol to TLSv2 in your ofbiz-container.xml like :
>       <property name="sslProtocol" value="TLSv2"/>
>       <property name="protocols" value="TLSv2"/>
>  * apply the patch https://issues.apache.org/jira/secure/attachment/12681409/OFBIZ-5848-java17-12.04.patch
>  * compile
>  * Have fun !
>
> If you detect any error, please let me know.
>
> Nicolas
>
Nicolas Malin-2
Reply | Threaded
Open this post in threaded view
|

Re: Poodle vulnerability and stable branches 12.04

Nicolas Malin-2
Le 16/11/2014 23:51, Jacques Le Roux a écrit :
> Apache OFBiz 12.04.* older releases (than 12.04.05)
Yes you right :)
Just a little problem ... I'm not sure that my patch works on older
releases.

I will checking after the ApacheconEU

Nicolas
Free forum by Nabble Edit this page