OpenSSL issues and release plans

[Mark Thomas <ma...@apache.org>]

Hi,

OpenSSL have released the details of the security fixed in 1.0.2h. I've
looked through them quickly and it looks like at least CVE-2016-2107 is
applicable to Tomcat-Native.

Given that I haven't got 9.0.x to the point where it is ready to release
and that it is likely to take a couple more days to do that (mainly
because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
propose to do the following:

Update Tomcat-Native to reference 1.0.2h (possibly the only change since
1.2.6) and tag 1.2.7. I should be able to do that later today. By the
time the release vote for that has finished, I should be in a position
to tag 9.0.x and can pick up the new Tomcat-Native just before I tag.

If all goes to plan, we should have a 9.0.x release around the middle of
next week.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: OpenSSL issues and release plans

[Rainer Jung <ra...@kippdata.de>]

Am 03.05.2016 um 16:53 schrieb Mark Thomas:
> Hi,
>
> OpenSSL have released the details of the security fixed in 1.0.2h. I've
> looked through them quickly and it looks like at least CVE-2016-2107 is
> applicable to Tomcat-Native.
>
> Given that I haven't got 9.0.x to the point where it is ready to release
> and that it is likely to take a couple more days to do that (mainly
> because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
> propose to do the following:
>
> Update Tomcat-Native to reference 1.0.2h (possibly the only change since
> 1.2.6) and tag 1.2.7. I should be able to do that later today. By the
> time the release vote for that has finished, I should be in a position
> to tag 9.0.x and can pick up the new Tomcat-Native just before I tag.

+1

Rainer



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: OpenSSL issues and release plans

[Rémy Maucherat <re...@apache.org>]

2016-05-03 16:53 GMT+02:00 Mark Thomas <ma...@apache.org>:

> Hi,
>
> OpenSSL have released the details of the security fixed in 1.0.2h. I've
> looked through them quickly and it looks like at least CVE-2016-2107 is
> applicable to Tomcat-Native.
>
> Given that I haven't got 9.0.x to the point where it is ready to release
> and that it is likely to take a couple more days to do that (mainly
> because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
> propose to do the following:
>
> Update Tomcat-Native to reference 1.0.2h (possibly the only change since
> 1.2.6) and tag 1.2.7. I should be able to do that later today. By the
> time the release vote for that has finished, I should be in a position
> to tag 9.0.x and can pick up the new Tomcat-Native just before I tag.
>
> If all goes to plan, we should have a 9.0.x release around the middle of
> next week.
>
> +1 for the plan.

Rémy

Re: OpenSSL issues and release plans

[Konstantin Kolinko <kn...@gmail.com>]

2016-05-03 17:53 GMT+03:00 Mark Thomas <ma...@apache.org>:
> Hi,
>
> OpenSSL have released the details of the security fixed in 1.0.2h. I've
> looked through them quickly and it looks like at least CVE-2016-2107 is
> applicable to Tomcat-Native.
>
> Given that I haven't got 9.0.x to the point where it is ready to release
> and that it is likely to take a couple more days to do that (mainly
> because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
> propose to do the following:
>
> Update Tomcat-Native to reference 1.0.2h (possibly the only change since
> 1.2.6) and tag 1.2.7. I should be able to do that later today. By the
> time the release vote for that has finished, I should be in a position
> to tag 9.0.x and can pick up the new Tomcat-Native just before I tag.

+1.

Native 1.2.6 had wrong VERSIONS file (at the root of binary *.zip
files,  at native/srclib/VERSIONS in source archives)
saying APR 1.5.1, while 1.5.2 was actually used.

> If all goes to plan, we should have a 9.0.x release around the middle of
> next week.


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: OpenSSL issues and release plans

[Mark Thomas <ma...@apache.org>]

On 03/05/2016 16:27, R�my Maucherat wrote:
> 2016-05-03 16:53 GMT+02:00 Mark Thomas <ma...@apache.org>:
> 
>> Hi,
>>
>> OpenSSL have released the details of the security fixed in 1.0.2h. I've
>> looked through them quickly and it looks like at least CVE-2016-2107 is
>> applicable to Tomcat-Native.
>>
>> Given that I haven't got 9.0.x to the point where it is ready to release
>> and that it is likely to take a couple more days to do that (mainly
>> because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
>> propose to do the following:
>>
> Should I port the direct connection support to 8.5 ? It looks a bit hacky
> but to be honest I don't want to do it "better", otherwise it will
> instantly become a weird port multiplexing apparatus.

+1

I'm all in favour of keeping 9.0.x and 8.5.x as close as possible.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: OpenSSL issues and release plans

[Rémy Maucherat <re...@apache.org>]

2016-05-03 16:53 GMT+02:00 Mark Thomas <ma...@apache.org>:

> Hi,
>
> OpenSSL have released the details of the security fixed in 1.0.2h. I've
> looked through them quickly and it looks like at least CVE-2016-2107 is
> applicable to Tomcat-Native.
>
> Given that I haven't got 9.0.x to the point where it is ready to release
> and that it is likely to take a couple more days to do that (mainly
> because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
> propose to do the following:
>
> Should I port the direct connection support to 8.5 ? It looks a bit hacky
but to be honest I don't want to do it "better", otherwise it will
instantly become a weird port multiplexing apparatus.

Rémy