On 08/01/18 09:31, Konstantin Kolinko wrote: > 2018-01-04 23:42 GMT+03:00 Mark Thomas <ma...@apache.org>: >> Hi all, >> >> It is the start of a new month and the open issue list looks to be clear >> so I'm planning on tagging 9.0.x and 8.5.x early next week. > > Is there a need for a new Tomcat-Native build for Windows, > to update to OpenSSL 1.0.2n (released 2017-12-07). > > Tomcat Native 1.2.16 (released 2017-11-20) is built with 1.0.2m, > > https://www.openssl.org/news/newslog.html > > Generally, I think that CVE-2017-3737 does not affect us, as I read it that it > relies on an application ignoring a fatal error from a handshake and > continuing to read data, > and I think that Tomcat won't ignore a fatal handshake error.
I concur. I wasn't planning on a Tomcat-Native release. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
