Re: [jetty-users] Does openSSL CVE-2014-0160 effect jetty users?

[Lothar Kimmeringer <job@xxxxxxxxxxxxxx>]

Am 09.04.2014 11:13, schrieb Peter Ondruška:
> On Wednesday, 9 April 2014, maarten ligtvoet <maartenligtvoet@xxxxxxxxx <mailto:maartenligtvoet@xxxxxxxxx>> wrote:
> 
>>     Does the openSSL heartbleed bug effect jetty users?
> Jetty uses Java VM's SSL, not OpenSSL. 

and to continue the answer: Since the SSL-implementation should be
in Pure Java, missing boundary-checks aren't a topic there.

A final answer depends on the configuration of your JVM, though.
In theory, you can change the SSLSocketFactory by one that
actually uses OpenSSL via JNI, but that's something never being
heard of - at least by me.


Regards, Lothar