Mark,
On 5/30/23 13:14, Mark Thomas wrote:
On 30/05/2023 16:54, Christopher Schultz wrote:
All,
On 5/26/23 13:46, Christopher Schultz wrote:
Mark,
On 5/24/23 04:28, Mark Thomas wrote:
OpenSSL has just announced a security fix release for 30 May.
We won't know what the security issues are until then so my
tentative plan is to tag and release Native 1.2.x and 2.0.x on 31
May, release Native 1.2.x and 2.0.x relatively quickly, update all
Tomcat versions to use the new Native versions and then start the
June releases.
Thoughts?
Sounds good. I can set aside some time on Wednesday morning to roll
10.1.x and 8.5.x as well.
Having read the announcement, I don't think there is a particular rush
to get the June release out ASAP.
We bundle OpenSSL 1.1.1 with official Tomcat releases and the
announcement seems to indicate that 1.1.1 is even less affected than
usual.
Tomcat Native 2.x binaries (for Windows) are built with OpenSSL 3.0.x
Tomcat Native 1.x binaries (for Windows) are built with OpenSSL 1.1.1
It looks like the only risk is if CLIENT-CERT authentication is used and
even then with the limits OpenSSL has in place the DoS opportunities are
pretty small.
I'm leaning towards doing a release any way. I should be able to get it
done later today.
I think I misread your initial email; you were suggesting going a
tcnative release today/tomorrow and then doing the Tomct releases
immediately thereafter. +1 to that plan.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
