On 2025/05/22 07:13:49 Mark Thomas wrote: > All, > > The last Tomcat Native releases were in July 2024. The Windows binaries > were built with 3.0.14. > > There are some low severity CVEs in 3.0.14 that we don't believe apply > to Tomcat's usage of OpenSSL but that may trigger a security scanner. > > There is a new OpenSSL LTS branch, 3.5.x, that includes support for Post > Quantum Cryptography. > > I'd like to get a new round of Tomcat Native releases made where the > Windows binaries are built with 3.5.x. > > My question is does this need a version bump? I'm thinking not as I'm > not planning on changing the minimum OpenSSL version and these are > convenience binaries. > > Any objections?
If 3.5 retains ABI and API then I don't see a reason to raise the minor version. Go for it. M --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
