You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2016/05/03 16:53:04 UTC
OpenSSL issues and release plans
Hi,
OpenSSL have released the details of the security fixed in 1.0.2h. I've
looked through them quickly and it looks like at least CVE-2016-2107 is
applicable to Tomcat-Native.
Given that I haven't got 9.0.x to the point where it is ready to release
and that it is likely to take a couple more days to do that (mainly
because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
propose to do the following:
Update Tomcat-Native to reference 1.0.2h (possibly the only change since
1.2.6) and tag 1.2.7. I should be able to do that later today. By the
time the release vote for that has finished, I should be in a position
to tag 9.0.x and can pick up the new Tomcat-Native just before I tag.
If all goes to plan, we should have a 9.0.x release around the middle of
next week.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: OpenSSL issues and release plans
Posted by Rainer Jung <ra...@kippdata.de>.
Am 03.05.2016 um 16:53 schrieb Mark Thomas:
> Hi,
>
> OpenSSL have released the details of the security fixed in 1.0.2h. I've
> looked through them quickly and it looks like at least CVE-2016-2107 is
> applicable to Tomcat-Native.
>
> Given that I haven't got 9.0.x to the point where it is ready to release
> and that it is likely to take a couple more days to do that (mainly
> because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
> propose to do the following:
>
> Update Tomcat-Native to reference 1.0.2h (possibly the only change since
> 1.2.6) and tag 1.2.7. I should be able to do that later today. By the
> time the release vote for that has finished, I should be in a position
> to tag 9.0.x and can pick up the new Tomcat-Native just before I tag.
+1
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: OpenSSL issues and release plans
Posted by Rémy Maucherat <re...@apache.org>.
2016-05-03 16:53 GMT+02:00 Mark Thomas <ma...@apache.org>:
> Hi,
>
> OpenSSL have released the details of the security fixed in 1.0.2h. I've
> looked through them quickly and it looks like at least CVE-2016-2107 is
> applicable to Tomcat-Native.
>
> Given that I haven't got 9.0.x to the point where it is ready to release
> and that it is likely to take a couple more days to do that (mainly
> because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
> propose to do the following:
>
> Update Tomcat-Native to reference 1.0.2h (possibly the only change since
> 1.2.6) and tag 1.2.7. I should be able to do that later today. By the
> time the release vote for that has finished, I should be in a position
> to tag 9.0.x and can pick up the new Tomcat-Native just before I tag.
>
> If all goes to plan, we should have a 9.0.x release around the middle of
> next week.
>
> +1 for the plan.
Rémy
Re: OpenSSL issues and release plans
Posted by Konstantin Kolinko <kn...@gmail.com>.
2016-05-03 17:53 GMT+03:00 Mark Thomas <ma...@apache.org>:
> Hi,
>
> OpenSSL have released the details of the security fixed in 1.0.2h. I've
> looked through them quickly and it looks like at least CVE-2016-2107 is
> applicable to Tomcat-Native.
>
> Given that I haven't got 9.0.x to the point where it is ready to release
> and that it is likely to take a couple more days to do that (mainly
> because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
> propose to do the following:
>
> Update Tomcat-Native to reference 1.0.2h (possibly the only change since
> 1.2.6) and tag 1.2.7. I should be able to do that later today. By the
> time the release vote for that has finished, I should be in a position
> to tag 9.0.x and can pick up the new Tomcat-Native just before I tag.
+1.
Native 1.2.6 had wrong VERSIONS file (at the root of binary *.zip
files, at native/srclib/VERSIONS in source archives)
saying APR 1.5.1, while 1.5.2 was actually used.
> If all goes to plan, we should have a 9.0.x release around the middle of
> next week.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: OpenSSL issues and release plans
Posted by Mark Thomas <ma...@apache.org>.
On 03/05/2016 16:27, R�my Maucherat wrote:
> 2016-05-03 16:53 GMT+02:00 Mark Thomas <ma...@apache.org>:
>
>> Hi,
>>
>> OpenSSL have released the details of the security fixed in 1.0.2h. I've
>> looked through them quickly and it looks like at least CVE-2016-2107 is
>> applicable to Tomcat-Native.
>>
>> Given that I haven't got 9.0.x to the point where it is ready to release
>> and that it is likely to take a couple more days to do that (mainly
>> because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
>> propose to do the following:
>>
> Should I port the direct connection support to 8.5 ? It looks a bit hacky
> but to be honest I don't want to do it "better", otherwise it will
> instantly become a weird port multiplexing apparatus.
+1
I'm all in favour of keeping 9.0.x and 8.5.x as close as possible.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: OpenSSL issues and release plans
Posted by Rémy Maucherat <re...@apache.org>.
2016-05-03 16:53 GMT+02:00 Mark Thomas <ma...@apache.org>:
> Hi,
>
> OpenSSL have released the details of the security fixed in 1.0.2h. I've
> looked through them quickly and it looks like at least CVE-2016-2107 is
> applicable to Tomcat-Native.
>
> Given that I haven't got 9.0.x to the point where it is ready to release
> and that it is likely to take a couple more days to do that (mainly
> because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I
> propose to do the following:
>
> Should I port the direct connection support to 8.5 ? It looks a bit hacky
but to be honest I don't want to do it "better", otherwise it will
instantly become a weird port multiplexing apparatus.
Rémy