All,
On 8/8/22 18:15, Christopher Schultz wrote:
The proposed Apache Tomcat 8.5.82 release is now available for voting.
The notable changes compared to 8.5.81 are:
- Update the packaged version of the Tomcat Native Library to 1.2.35 to
pick up Windows binaries built with OpenSSL 1.1.1q.
- Enable the use of the FIPS provider for TLS enabled Connectors when
using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
- Improvements to HTTP/2 header handling.
- Fix CVE-2022-34305, a low severity XSS vulnerability in the
Form authentication example.
Along with lots of other bug fixes and improvements.
For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1385
The tag is:
https://github.com/apache/tomcat/tree/8.5.82/
237076605ea6b44ec7b97ee1158d5aa7f2f0b53c
The proposed 8.5.82 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 8.5.82 (stable)
Works with a vanilla application in a development environment.
Notes on the "details" below:
1. The "Signature verification failed" for the Windows binary is due to
a misconfiguration of osslsigncode on the server I used to run my tests.
I have corrected that and verified that the Windows binary is
properly-signed.
2. The failures for the PEMFile tests are due to a bug in the JVM which
has been fixed in Java 1.8.0-8u301 while the version used for testing
here is 1.8.0-8u292.
Details:
* Environment
* Java (build): openjdk version "1.8.0_292" OpenJDK Runtime
Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit
Server VM (build 25.292-b10, mixed mode)
* Java (test): openjdk version "1.8.0_292" OpenJDK Runtime
Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit
Server VM (build 25.292-b10, mixed mode)
* OS: Linux 5.10.0-14-amd64 x86_64
* cc: cc (Debian 10.2.1-6) 10.2.1 20210110
* make: GNU Make 4.3
* OpenSSL: OpenSSL 1.1.1 11 Sep 2018
* APR: 1.7.0
*
* Valid SHA-512 signature for apache-tomcat-8.5.82.zip
* Valid GPG signature for apache-tomcat-8.5.82.zip
* Valid SHA-512 signature for apache-tomcat-8.5.82.tar.gz
* Valid GPG signature for apache-tomcat-8.5.82.tar.gz
* Valid SHA-512 signature for apache-tomcat-8.5.82.exe
* Valid GPG signature for apache-tomcat-8.5.82.exe
* !! Invalid Windows Digital Signature for apache-tomcat-8.5.82.exe
* Valid SHA512 signature for apache-tomcat-8.5.82-src.zip
* Valid GPG signature for apache-tomcat-8.5.82-src.zip
* Valid SHA512 signature for apache-tomcat-8.5.82-src.tar.gz
* Valid GPG signature for apache-tomcat-8.5.82-src.tar.gz
*
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
*
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: FAILED
*
* Tests that failed:
* org.apache.tomcat.util.net.jsse.TestPEMFile.APR.txt
* org.apache.tomcat.util.net.jsse.TestPEMFile.NIO.txt
* org.apache.tomcat.util.net.jsse.TestPEMFile.NIO2.txt
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
