On 30/05/2023 16:54, Christopher Schultz wrote:
All,
On 5/26/23 13:46, Christopher Schultz wrote:
Mark,
On 5/24/23 04:28, Mark Thomas wrote:
OpenSSL has just announced a security fix release for 30 May.
We won't know what the security issues are until then so my tentative
plan is to tag and release Native 1.2.x and 2.0.x on 31 May, release
Native 1.2.x and 2.0.x relatively quickly, update all Tomcat versions
to use the new Native versions and then start the June releases.
Thoughts?
Sounds good. I can set aside some time on Wednesday morning to roll
10.1.x and 8.5.x as well.
Having read the announcement, I don't think there is a particular rush
to get the June release out ASAP.
We bundle OpenSSL 1.1.1 with official Tomcat releases and the
announcement seems to indicate that 1.1.1 is even less affected than usual.
Tomcat Native 2.x binaries (for Windows) are built with OpenSSL 3.0.x
Tomcat Native 1.x binaries (for Windows) are built with OpenSSL 1.1.1
It looks like the only risk is if CLIENT-CERT authentication is used and
even then with the limits OpenSSL has in place the DoS opportunities are
pretty small.
I'm leaning towards doing a release any way. I should be able to get it
done later today.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
