2018-01-04 23:42 GMT+03:00 Mark Thomas <ma...@apache.org>: > Hi all, > > It is the start of a new month and the open issue list looks to be clear > so I'm planning on tagging 9.0.x and 8.5.x early next week.
Is there a need for a new Tomcat-Native build for Windows, to update to OpenSSL 1.0.2n (released 2017-12-07). Tomcat Native 1.2.16 (released 2017-11-20) is built with 1.0.2m, https://www.openssl.org/news/newslog.html Generally, I think that CVE-2017-3737 does not affect us, as I read it that it relies on an application ignoring a fatal error from a handshake and continuing to read data, and I think that Tomcat won't ignore a fatal handshake error. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
