On 02/11/2022 18:36, Christopher Schultz wrote:
Mark,
On 11/1/22 12:19, Mark Thomas wrote:
I've just read the OpenSSL announcement. The issue has been downgraded
to critical but we are going to need to new Tomcat Native release.
There are a couple of stack overflow bugs in certificate verification
so Tomcat could be accepted via CLIENT-CERT.
s/accepted/affected/
Tx.
I've been following this as well, and I agree that we need a flurry of
releases. It's too bad we decided to bundle libtcnative.dll with Tomcat
releases. *NIX users don't have to wait for a release...
Neither do Windows users. They just have to build from source like their
Unix colleagues.
I think we should have an immediate VOTE on a tcnative release which
includes an updated statically-linked Windows DLL. Because there are no
code changes (?) since the last tcnative release... can we simply
fast-forward to a release-by-acclamation? ASF probably says no to that. :/
The VOTE thread is on the way. I'm currently travelling so things are a
little tricker / slower than usual but I expect to get the VOTE thread
out in the next hour or so.
We can end the VOTE whenever we like. If we have at least 3 +1 PMC votes
and more PMC +1 votes than -1 votes then we can release. The 72 hours is
a guideline / very strong recommendation but if we have a good reason
for doing something else that is fine. And security is generally
accepted as a good reason for a shorter vote. If we had everyone lined
up ready to VOTE, the whole thing could be over in a couple of minutes.
Mark
-chris
On 25/10/2022 16:55, Rémy Maucherat wrote:
On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas <ma...@apache.org> wrote:
Hi all,
I've just seen the heads up from the OpenSSL project that there will be
a 3.0.7 release on 2022-12-01 that will address a critical
vulnerability. We won't know the details of the vulnerability until the
release announcement. Given that it may trigger a Tomcat Native release
my current thinking is:
- prep for November releases as normal
- review the OpenSSL issue once public
- roll a Tomcat Native release if necessary
- update to the new Tomcat Native release of there is one
- roll the Tomcat releases
Do we want to pick up an updated migration tool as well?
Maybe, we're in the process of integrating a PR for the tool. The
submitter says it makes it run faster.
Rémy
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
