You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2022/03/31 16:54:45 UTC
[VOTE] Release Apache Tomcat 8.5.78
The proposed Apache Tomcat 8.5.78 release is now available for voting.
The notable changes compared to 8.5.77 are:
- Update the packaged version of the Tomcat Native Library to 1.2.32 to
pick up Windows binaries built with OpenSSL 1.1.1n.
- Improve logging of unknown HTTP/2 settings frames. Pull request by
Thomas Hoffmann.
- Add additional warnings if incompatible TLS configurations are used
such as HTTP/2 with CLIENT-CERT authentication
- Harden the class loader to provide a mitigation for CVE-2022-22965
a Spring Framework vulnerability
Along with lots of other bug fixes and improvements.
This is the third release of Tomcat 8.5 that has been built with Java 11
(in Java 7 mode) instead of Java 7. Please report any strangeness you
may observe especially if you are running Tomcat 8.5 in an environment
using Java < 11. We don't expect any issues, but understand that we
cannot test all possible environmental configurations.
For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1370
The tag is:
https://github.com/apache/tomcat/tree/8.5.78
f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
The proposed 8.5.78 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.78 (stable)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.78
Posted by Raymond Augé <ra...@liferay.com.INVALID>.
> [X] Stable - go ahead and release as 8.5.78 (stable)
On Thu, Mar 31, 2022 at 12:56 PM Mark Thomas <ma...@apache.org> wrote:
> On 31/03/2022 17:54, Mark Thomas wrote:
>
> > The proposed 8.5.78 release is:
> > [ ] Broken - do not release
> > [X] Stable - go ahead and release as 8.5.78 (stable)
>
> Tests pass with Linux, Windows and MacOS
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
--
*Raymond Augé* (@rotty3000)
Senior Software Architect *Liferay, Inc.* (@Liferay)
OSGi Fellow, Java Champion
Re: [VOTE] Release Apache Tomcat 8.5.78
Posted by Mark Thomas <ma...@apache.org>.
On 31/03/2022 17:54, Mark Thomas wrote:
> The proposed 8.5.78 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.78 (stable)
Tests pass with Linux, Windows and MacOS
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.78
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 31.03.22 um 18:54 schrieb Mark Thomas:
> The proposed Apache Tomcat 8.5.78 release is now available for voting.
>
> The notable changes compared to 8.5.77 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
> Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
> such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
> a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> This is the third release of Tomcat 8.5 that has been built with Java
> 11 (in Java 7 mode) instead of Java 7. Please report any strangeness
> you may observe especially if you are running Tomcat 8.5 in an
> environment using Java < 11. We don't expect any issues, but
> understand that we cannot test all possible environmental configurations.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1370
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.78
> f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
>
> The proposed 8.5.78 release is:
> [ ] Broken - do not release
> [x] Stable - go ahead and release as 8.5.78 (stable)
Unit tests run with Java 11 and Java 8 on Linux
Felix
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: [VOTE] Release Apache Tomcat 8.5.78
Posted by Rémy Maucherat <re...@apache.org>.
On Thu, Mar 31, 2022 at 6:55 PM Mark Thomas <ma...@apache.org> wrote:
>
> The proposed Apache Tomcat 8.5.78 release is now available for voting.
>
> The notable changes compared to 8.5.77 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
> Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
> such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
> a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> This is the third release of Tomcat 8.5 that has been built with Java 11
> (in Java 7 mode) instead of Java 7. Please report any strangeness you
> may observe especially if you are running Tomcat 8.5 in an environment
> using Java < 11. We don't expect any issues, but understand that we
> cannot test all possible environmental configurations.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1370
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.78
> f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
>
> The proposed 8.5.78 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.78 (stable)
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.78
Posted by Filip Hanik <fi...@hanik.com>.
On Thu, Mar 31, 2022 at 9:55 AM Mark Thomas <ma...@apache.org> wrote:
> The proposed Apache Tomcat 8.5.78 release is now available for voting.
>
> The notable changes compared to 8.5.77 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
> Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
> such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
> a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> This is the third release of Tomcat 8.5 that has been built with Java 11
> (in Java 7 mode) instead of Java 7. Please report any strangeness you
> may observe especially if you are running Tomcat 8.5 in an environment
> using Java < 11. We don't expect any issues, but understand that we
> cannot test all possible environmental configurations.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1370
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.78
> f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
>
> The proposed 8.5.78 release is:
> [ ] Broken - do not release
>
> [X] Stable - go ahead and release as 8.5.78 (stable)
Filip
[VOTE][RESULT] Release Apache Tomcat 8.5.78
Posted by Mark Thomas <ma...@apache.org>.
Hi all,
I am calling the result of this release vote earlier than usual to make
the alternative mitigation for the Spring vulnerability CVE-2022-22965
available sooner rather than later.
The following votes were cast:
Binding:
+1: markt, remm, fhanik, schultz, fschumacher
Non-binding:
+1: rotty3000
The vote therefore passes.
Thanks to everyone who has contributed to this release.
Mark
On 31/03/2022 17:54, Mark Thomas wrote:
> The proposed Apache Tomcat 8.5.78 release is now available for voting.
>
> The notable changes compared to 8.5.77 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
> Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
> such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
> a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> This is the third release of Tomcat 8.5 that has been built with Java 11
> (in Java 7 mode) instead of Java 7. Please report any strangeness you
> may observe especially if you are running Tomcat 8.5 in an environment
> using Java < 11. We don't expect any issues, but understand that we
> cannot test all possible environmental configurations.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1370
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.78
> f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
>
> The proposed 8.5.78 release is:
> [ ] Broken - do not release
> [ ] Stable - go ahead and release as 8.5.78 (stable)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.78
Posted by Rémy Maucherat <re...@apache.org>.
On Thu, Mar 31, 2022 at 11:14 PM Christopher Schultz
<ch...@christopherschultz.net> wrote:
>
> Mark,
>
> Thanks for RMing. I hope I didn't break your 8.5.78 git tag. I was 2.5
> hours later than you, and didn't realize you had already rolled the release.
It looks fine: https://github.com/apache/tomcat/tree/8.5.78
Rémy
> Mark, there are two signature files missing from the release artifacts,
> detailed below. Can you check on those?
>
> On 3/31/22 12:54, Mark Thomas wrote:
> > The proposed Apache Tomcat 8.5.78 release is now available for voting.
> >
> > The notable changes compared to 8.5.77 are:
> >
> > - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> > pick up Windows binaries built with OpenSSL 1.1.1n.
> >
> > - Improve logging of unknown HTTP/2 settings frames. Pull request by
> > Thomas Hoffmann.
> >
> > - Add additional warnings if incompatible TLS configurations are used
> > such as HTTP/2 with CLIENT-CERT authentication
> >
> > - Harden the class loader to provide a mitigation for CVE-2022-22965
> > a Spring Framework vulnerability
> >
> > Along with lots of other bug fixes and improvements.
> >
> > This is the third release of Tomcat 8.5 that has been built with Java 11
> > (in Java 7 mode) instead of Java 7. Please report any strangeness you
> > may observe especially if you are running Tomcat 8.5 in an environment
> > using Java < 11. We don't expect any issues, but understand that we
> > cannot test all possible environmental configurations.
> >
> > For full details, see the changelog:
> > https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
> >
> > It can be obtained from:
> > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
> > The Maven staging repo is:
> > https://repository.apache.org/content/repositories/orgapachetomcat-1370
> > The tag is:
> > https://github.com/apache/tomcat/tree/8.5.78
> > f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
> >
> > The proposed 8.5.78 release is:
> > [ ] Broken - do not release
> > [X] Stable - go ahead and release as 8.5.78 (stable)
>
> Works on a vanilla servlet-based web application in a testing environment.
>
> Unit tests pass on Debian Linux and MacOS Big Sur.
>
> Note: the files apache-tomcat-8.5.78.zip.asc and
> apache-tomcat-8.5.78.tar.gz.asc were expected but missing.
>
> Details:
> * Environment
> * Java (build): openjdk version "1.8.0_292" OpenJDK Runtime
> Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit
> Server VM (build 25.292-b10, mixed mode)
> * Java (test): openjdk version "1.8.0_292" OpenJDK Runtime
> Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit
> Server VM (build 25.292-b10, mixed mode)
> * OS: Linux 4.19.0-18-amd64 x86_64
> * cc: cc (Debian 8.3.0-6) 8.3.0
> * make: GNU Make 4.2.1
> * OpenSSL: OpenSSL 1.1.1 11 Sep 2018
> * APR: 1.6.5
> *
> * Valid SHA-512 signature for apache-tomcat-8.5.78.zip
> * !! Invalid GPG signature for apache-tomcat-8.5.78.zip
> * Valid SHA-512 signature for apache-tomcat-8.5.78.tar.gz
> * !! Invalid GPG signature for apache-tomcat-8.5.78.tar.gz
> * Valid SHA-512 signature for apache-tomcat-8.5.78.exe
> * Valid GPG signature for apache-tomcat-8.5.78.exe
> * Valid Windows Digital Signature for apache-tomcat-8.5.78.exe
> * Valid SHA512 signature for apache-tomcat-8.5.78-src.zip
> * Valid GPG signature for apache-tomcat-8.5.78-src.zip
> * Valid SHA512 signature for apache-tomcat-8.5.78-src.tar.gz
> * Valid GPG signature for apache-tomcat-8.5.78-src.tar.gz
> *
> * Binary Zip and tarball: Same
> * Source Zip and tarball: Same
> *
> * Building dependencies returned: 0
> * tcnative builds cleanly
> * Tomcat builds cleanly
> * Junit Tests: PASSED
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.78
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
Thanks for RMing. I hope I didn't break your 8.5.78 git tag. I was 2.5
hours later than you, and didn't realize you had already rolled the release.
Mark, there are two signature files missing from the release artifacts,
detailed below. Can you check on those?
On 3/31/22 12:54, Mark Thomas wrote:
> The proposed Apache Tomcat 8.5.78 release is now available for voting.
>
> The notable changes compared to 8.5.77 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
> Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
> such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
> a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> This is the third release of Tomcat 8.5 that has been built with Java 11
> (in Java 7 mode) instead of Java 7. Please report any strangeness you
> may observe especially if you are running Tomcat 8.5 in an environment
> using Java < 11. We don't expect any issues, but understand that we
> cannot test all possible environmental configurations.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1370
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.78
> f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
>
> The proposed 8.5.78 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.78 (stable)
Works on a vanilla servlet-based web application in a testing environment.
Unit tests pass on Debian Linux and MacOS Big Sur.
Note: the files apache-tomcat-8.5.78.zip.asc and
apache-tomcat-8.5.78.tar.gz.asc were expected but missing.
Details:
* Environment
* Java (build): openjdk version "1.8.0_292" OpenJDK Runtime
Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit
Server VM (build 25.292-b10, mixed mode)
* Java (test): openjdk version "1.8.0_292" OpenJDK Runtime
Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit
Server VM (build 25.292-b10, mixed mode)
* OS: Linux 4.19.0-18-amd64 x86_64
* cc: cc (Debian 8.3.0-6) 8.3.0
* make: GNU Make 4.2.1
* OpenSSL: OpenSSL 1.1.1 11 Sep 2018
* APR: 1.6.5
*
* Valid SHA-512 signature for apache-tomcat-8.5.78.zip
* !! Invalid GPG signature for apache-tomcat-8.5.78.zip
* Valid SHA-512 signature for apache-tomcat-8.5.78.tar.gz
* !! Invalid GPG signature for apache-tomcat-8.5.78.tar.gz
* Valid SHA-512 signature for apache-tomcat-8.5.78.exe
* Valid GPG signature for apache-tomcat-8.5.78.exe
* Valid Windows Digital Signature for apache-tomcat-8.5.78.exe
* Valid SHA512 signature for apache-tomcat-8.5.78-src.zip
* Valid GPG signature for apache-tomcat-8.5.78-src.zip
* Valid SHA512 signature for apache-tomcat-8.5.78-src.tar.gz
* Valid GPG signature for apache-tomcat-8.5.78-src.tar.gz
*
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
*
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: PASSED
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org