I've just read the OpenSSL announcement. The issue has been downgraded
to critical but we are going to need to new Tomcat Native release. There
are a couple of stack overflow bugs in certificate verification so
Tomcat could be accepted via CLIENT-CERT.
Where are we on the migration tool. I haven't been following that
closely. Is the repo ready for a release?
Mark
On 25/10/2022 16:55, Rémy Maucherat wrote:
On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas <ma...@apache.org> wrote:
Hi all,
I've just seen the heads up from the OpenSSL project that there will be
a 3.0.7 release on 2022-12-01 that will address a critical
vulnerability. We won't know the details of the vulnerability until the
release announcement. Given that it may trigger a Tomcat Native release
my current thinking is:
- prep for November releases as normal
- review the OpenSSL issue once public
- roll a Tomcat Native release if necessary
- update to the new Tomcat Native release of there is one
- roll the Tomcat releases
Do we want to pick up an updated migration tool as well?
Maybe, we're in the process of integrating a PR for the tool. The
submitter says it makes it run faster.
Rémy
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
