Re: [VOTE] Release Apache Tomcat Native 2.0.10

Wed, 17 Dec 2025 06:37:57 -0800 

On 17/12/2025 13:56, Mark Thomas wrote:

On 17/12/2025 13:24, Christopher Schultz wrote:

Mark,

On 12/17/25 5:46 AM, Mark Thomas wrote:

The key differences in version 2.0.10 compared to 2.0.9 are:

- The windows binaries in this release have been built with OpenSSL
   3.5.4 and APR 1.7.6

- OCSP support is included (but not enabled) by default with various
   improvements to the OCSP checks

- Add the ability to configure TLS 1.3 ciphers
The 2.0.x branch is primarily intended for use with Tomcat 10.1.x onwards but can be used with earlier versions as long as the APR/ native connector is not used. 

The proposed release artifacts can be found at [1],
and the build was done using tag [2].

The Apache Tomcat Native 2.0.10 release is
  [ ] Stable, go ahead and release
  [ ] Broken because of ...
I'm not sure how big of a deal this is, but this variable is checked without being initialized in sslutils.c: 

         OCSP_RESPONSE *resp;

         req = get_ocsp_request(cert, issuer);

         if(req != NULL) {
         }

         if (resp != NULL) {
             OCSP_RESPONSE_free(resp);
         }
I think you'll be checking against a potentially uninitialized pointer in some cases. Maybe it's really not possible for req to be NULL but if it is, I think you'll have a memory leak.
I'm not sure if this is a -1 from me or not. More like a -0 based solely on this potential memory leak.
This is less critical, but if we decide to pull the release for the above, we might want to fix this for the next build:
INFO: Loaded Apache Tomcat Native library [2.0.10-dev] using APR version [1.7.6]. 

(-dev suffix)
I'd argue that is actually more of an issue. We wont be able to be sure what code folks are running if they report an issue.
That looks like a local build issue. I don't see that when building from either the tag or the src bundle. 


I'm happy to re-tag 2.0.11.


I'll do that anyway to pick up your fix.

Mark
That said, the build is clean and all the Tomcat unit tests pass on MacOS with this library installed. 

Tx. That is good to know.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]




---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to