Am 22.05.25 um 09:13 schrieb Mark Thomas:
All,
The last Tomcat Native releases were in July 2024. The Windows binaries
were built with 3.0.14.
There are some low severity CVEs in 3.0.14 that we don't believe apply
to Tomcat's usage of OpenSSL but that may trigger a security scanner.
There is a new OpenSSL LTS branch, 3.5.x, that includes support for Post
Quantum Cryptography.
I'd like to get a new round of Tomcat Native releases made where the
Windows binaries are built with 3.5.x.
My question is does this need a version bump? I'm thinking not as I'm
not planning on changing the minimum OpenSSL version and these are
convenience binaries.
Any objections?
+1, no objections.
There were some important performance optimizations post 3.0 (improve
lock use and handling). Not sure, whether the overlap with tcnative use
cases though.
I regularly run my release vote tests (TC unit tests) using tcnative
1.3.1 and 2.0.8 also with OpenSSL 3.5.0 (since beta) and never observed
a problem.
Since the binary artefacts provided for download already contain the
OpenSSL version as part of their name, I don't see any reason for a new
tcnative version.
Best regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
