Re: November release round

Wed, 02 Nov 2022 11:36:18 -0700 

Mark,

On 11/1/22 12:19, Mark Thomas wrote:
I've just read the OpenSSL announcement. The issue has been downgraded to critical but we are going to need to new Tomcat Native release. There are a couple of stack overflow bugs in certificate verification so Tomcat could be accepted via CLIENT-CERT. 

s/accepted/affected/


I've been following this as well, and I agree that we need a flurry of 
releases. It's too bad we decided to bundle libtcnative.dll with Tomcat 
releases. *NIX users don't have to wait for a release...



I think we should have an immediate VOTE on a tcnative release which 
includes an updated statically-linked Windows DLL. Because there are no 
code changes (?) since the last tcnative release... can we simply 
fast-forward to a release-by-acclamation? ASF probably says no to that. :/


-chris


On 25/10/2022 16:55, Rémy Maucherat wrote:

On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas <ma...@apache.org> wrote:


Hi all,

I've just seen the heads up from the OpenSSL project that there will be
a 3.0.7 release on 2022-12-01 that will address a critical
vulnerability. We won't know the details of the vulnerability until the
release announcement. Given that it may trigger a Tomcat Native release
my current thinking is:

- prep for November releases as normal
- review the OpenSSL issue once public
- roll a Tomcat Native release if necessary
- update to the new Tomcat Native release of there is one
- roll the Tomcat releases

Do we want to pick up an updated migration tool as well?


Maybe, we're in the process of integrating a PR for the tool. The
submitter says it makes it run faster.

Rémy


Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org























					Reply via email to