On Thu, May 22, 2025 at 9:13 AM Mark Thomas <ma...@apache.org> wrote: > > All, > > The last Tomcat Native releases were in July 2024. The Windows binaries > were built with 3.0.14. > > There are some low severity CVEs in 3.0.14 that we don't believe apply > to Tomcat's usage of OpenSSL but that may trigger a security scanner. > > There is a new OpenSSL LTS branch, 3.5.x, that includes support for Post > Quantum Cryptography. > > I'd like to get a new round of Tomcat Native releases made where the > Windows binaries are built with 3.5.x. > > My question is does this need a version bump? I'm thinking not as I'm > not planning on changing the minimum OpenSSL version and these are > convenience binaries. > > Any objections?
+1 Fedora 42 is still on OpenSSL 3.2, so it will take one more upgrade cycle for people to actually upgrade to 3.5, unless they are rushing it. Rémy > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
