All,
The last Tomcat Native releases were in July 2024. The Windows binaries
were built with 3.0.14.
There are some low severity CVEs in 3.0.14 that we don't believe apply
to Tomcat's usage of OpenSSL but that may trigger a security scanner.
There is a new OpenSSL LTS branch, 3.5.x, that includes support for Post
Quantum Cryptography.
I'd like to get a new round of Tomcat Native releases made where the
Windows binaries are built with 3.5.x.
My question is does this need a version bump? I'm thinking not as I'm
not planning on changing the minimum OpenSSL version and these are
convenience binaries.
Any objections?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
