You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2019/04/10 14:58:40 UTC
[VOTE] Release Apache Tomcat 8.5.40
The proposed Apache Tomcat 8.5.40 release is now available for voting.
The major changes compared to the 8.5.39 release are:
- Fix for CVE-2019-0232 a RCE vulnerability on Windows
- Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
now supported if used with a ECJ version with support for those Java
versions
- Various NIO2 stability improvements
Along with lots of other bug fixes and improvements.
For full details, see the changelog:
https://ci.apache.org/projects/tomcat/tomcat85/docs/changelog.html
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.40/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1208/
The tag is:
https://github.com/apache/tomcat/tree/8.5.40
5ec070352b283535946327b44228b610a27a76c5
The proposed 8.5.40 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.40
Due to the security fix contained in this release, the voting period may
be shortened once sufficient votes are cast to enable a faster release.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.40
Posted by Keiichi Fujino <kf...@apache.org>.
2019年4月10日(水) 23:58 Mark Thomas <ma...@apache.org>:
> The proposed Apache Tomcat 8.5.40 release is now available for voting.
>
> The major changes compared to the 8.5.39 release are:
>
> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
>
> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
> now supported if used with a ECJ version with support for those Java
> versions
>
> - Various NIO2 stability improvements
>
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://ci.apache.org/projects/tomcat/tomcat85/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.40/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1208/
>
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.40
> 5ec070352b283535946327b44228b610a27a76c5
>
>
> The proposed 8.5.40 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.40
>
+1
Tested on simple hand-made app.(enable session replication).
> Due to the security fix contained in this release, the voting period may
> be shortened once sufficient votes are cast to enable a faster release.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
--
Keiichi.Fujino
Re: [VOTE] Release Apache Tomcat 8.5.40
Posted by Igal Sapir <is...@apache.org>.
On 4/10/2019 7:58 AM, Mark Thomas wrote:
> The proposed 8.5.40 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.40
Unit tests pass for NIO, NIO2, and APR on Windows 10 with Java 1.8u181
and TC-Native 1.2.21 and Ubuntu 18.04 with Java 1.8u202 and TC-Native 1.2.21
Igal
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.40
Posted by Mark Thomas <ma...@apache.org>.
On 10/04/2019 15:58, Mark Thomas wrote:
> The proposed 8.5.40 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.40
Unit tests pass for NIO, NIO2 and APR/Native on Windows, Linux and MacOS
with Tomcat-Native 1.2.21
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.40
Posted by Rémy Maucherat <re...@apache.org>.
On Wed, Apr 10, 2019 at 4:58 PM Mark Thomas <ma...@apache.org> wrote:
> The proposed 8.5.40 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.40
>
Rémy
Re: [VOTE] Release Apache Tomcat 8.5.40
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 4/11/19 12:40, Mark Thomas wrote:
> On 11/04/2019 15:21, Christopher Schultz wrote:
>
> <snip/>
>
>> I'm having a bit of trouble building the bundled tcnative. I'm
>> tried building against OpenSSL 1.0.2k and 1.1.1 and both of the
>> "configure" invocations given me a message similar to the
>> following:
>>
>> checking for OpenSSL library... using openssl from
>> /home/cschultz/openssl-1.0.2k/target/target/${exec_prefix}/lib
>> and /home/cschultz/openssl-1.0.2k/target/target/include checking
>> OpenSSL library version >= 1.0.2... configure: error: Your
>> version of OpenSSL is not compatible with this version of
>> tcnative
>>
>> Any ideas for what to check? That ${exec_prefix} in there looks a
>> little fishy. Here's my configure command:
>>
>> ./configure --with-apr=/usr/bin
>> --with-ssl=/home/cschultz/openssl-1.0.2k/target/target
>
> That looks odd with 2 targets on the end.
You're right, it does.
I corrected that and it seems that was the problem. :(
That "configure" command was generated by my test-tomcat script. Hmm.
I'll have to see what's wrong, there.
Aha. A hardware migration + directory re-organization has simply
broken the path. Oddly, this causes the build to fail. Had it
fallen-back to the OS's default OpenSSL version (1.1.0j in my case), I
would have expected it to succeed.
Perhaps the fallback isn't working reliably?
>> --with-java-home=/usr/lib/jvm/java-8-openjdk-amd64
>
> I did a little testing with this.
>
> I agree the ${exec_prefix} looks odd but it doesn't appear to be
> breaking anything.
>
> When I provide a valid path to an OpenSSL build everything works
> as expected (1.0.2, 1.1.0, 1.1.1 and master).
>
> When I provide an invalid path to an OpenSSL build then it appears
> to pick up up the version of OpenSSL installed by the OS.
>
> I see two (minor) problems we could fix:
>
> 1. The ${exec_prefix} oddity
>
> 2. If an invalid OpenSSL path is specified the build should fail
> rather than pick up a system default.
>
> Given that everything appears to work as intended with valid input,
> I don't see any immediate need to roll a Tomcat Native release.
+1 - no release is necessary.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlyvdkIACgkQHPApP6U8
pFiYohAAmO0ouLCMydseViHj2PxfP10mj7uvgB5tCM8FEcoluuB97Lrq1erCT/CY
EC5DHGuRdOBvIv+DSw4qkUOE0cCTUe90KZhoWPKJYQuM/Ins+fQwSy98aJMmXLHD
d3rvyZ4fGnF6twwg6Sf/eFstq1tzkqUIC0cPuVwytirqZDNCVdgTSLp0xUkEf8yp
wFY2AAjOGuW6fTLCs7ie85JrAF/eo9vjM40HRCTTpCL03gYvPi5mfYNbEtLUWJ4K
0qZOJGvbl8oxuAkG42ZzUZueA/pEtZDk6jfD1KDc8OOOkk77Yix/gVHdwSZpZR8l
F8ihXEAigUdRqEyFo0sQ0KyaRq27E5yrrMMURpN2iOYJl9pyhcpowIEF7NMwMVYM
tfH01qg/D/2AQYnpYnO9o7ou1rsyyXWVViJu6xIkZwC7eHuWkfGjQHGrfcYkc95o
erTZ/VTkBE95zLNJHfkrMb3NQ7vX1h0E8hfBAIJNnhMrVRPbfsdGDjU+KST6qoid
MXuQnvIefp2CQCtqPVSUVxC9irXdDWeR/IIDNThguVOu69SrEkK7BGQyHGEpPQvV
7ieuWQ4PVyQw85QUdzkbIhAtswl75b118e/NUtBiijUCGtX/tgLpaSgME+TeENny
E3v0GaU1aLD9l9mwCQqWz5BEFHAymxC0XxqzPhsiSnLB21xA/hs=
=6Wkm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.40
Posted by Mark Thomas <ma...@apache.org>.
On 11/04/2019 15:21, Christopher Schultz wrote:
<snip/>
> I'm having a bit of trouble building the bundled tcnative. I'm tried
> building against OpenSSL 1.0.2k and 1.1.1 and both of the "configure"
> invocations given me a message similar to the following:
>
> checking for OpenSSL library... using openssl from
> /home/cschultz/openssl-1.0.2k/target/target/${exec_prefix}/lib and
> /home/cschultz/openssl-1.0.2k/target/target/include
> checking OpenSSL library version >= 1.0.2... configure: error: Your
> version of OpenSSL is not compatible with this version of tcnative
>
> Any ideas for what to check? That ${exec_prefix} in there looks a little
> fishy. Here's my configure command:
>
> ./configure --with-apr=/usr/bin
> --with-ssl=/home/cschultz/openssl-1.0.2k/target/target
That looks odd with 2 targets on the end.
> --with-java-home=/usr/lib/jvm/java-8-openjdk-amd64
I did a little testing with this.
I agree the ${exec_prefix} looks odd but it doesn't appear to be
breaking anything.
When I provide a valid path to an OpenSSL build everything works as
expected (1.0.2, 1.1.0, 1.1.1 and master).
When I provide an invalid path to an OpenSSL build then it appears to
pick up up the version of OpenSSL installed by the OS.
I see two (minor) problems we could fix:
1. The ${exec_prefix} oddity
2. If an invalid OpenSSL path is specified the build should fail rather
than pick up a system default.
Given that everything appears to work as intended with valid input, I
don't see any immediate need to roll a Tomcat Native release.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.40
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
Gah. I replied to Mark only yesterday. :(
On 4/10/19 10:58, Mark Thomas wrote:
> The proposed Apache Tomcat 8.5.40 release is now available for
> voting.
>
> The major changes compared to the 8.5.39 release are:
>
> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
>
> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are
> also now supported if used with a ECJ version with support for
> those Java versions
>
> - Various NIO2 stability improvements
>
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://ci.apache.org/projects/tomcat/tomcat85/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.40/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-120
8/
>
> The tag is: https://github.com/apache/tomcat/tree/8.5.40
> 5ec070352b283535946327b44228b610a27a76c5
>
>
> The proposed 8.5.40 release is: [ ] Broken - do not release [ ]
> Stable - go ahead and release as 8.5.40
I'm having a bit of trouble building the bundled tcnative. I'm tried
building against OpenSSL 1.0.2k and 1.1.1 and both of the "configure"
invocations given me a message similar to the following:
checking for OpenSSL library... using openssl from
/home/cschultz/openssl-1.0.2k/target/target/${exec_prefix}/lib and
/home/cschultz/openssl-1.0.2k/target/target/include
checking OpenSSL library version >= 1.0.2... configure: error: Your
version of OpenSSL is not compatible with this version of tcnative
Any ideas for what to check? That ${exec_prefix} in there looks a little
fishy. Here's my configure command:
./configure --with-apr=/usr/bin
- --with-ssl=/home/cschultz/openssl-1.0.2k/target/target
- --with-java-home=/usr/lib/jvm/java-8-openjdk-amd64
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlyvTXEACgkQHPApP6U8
pFjhjhAAtwtSAb3LDFBOH+1QalBOdgoMR9ewqqGsQWSTKcvO1agdtzDeIuqOqBN8
vEkJqHLGeuIECNGYShtobU0mPPgyuYL36BTBZgGaziBgEPqbqzxFU7P4zCc8BN8J
W7pWbX9Pz8h+OYeegxiwzX+Rvb/57gpBgiD8haerhvuf6xpkzpVBiyLkGtmFqSD7
lxzomgZ3yFwFaYD7nAeuwjPB/NK37VGkzBPxMPaqZ2ftd1B9ziEMjqzs34kFsOAE
/+rAuQi9THnJqgG07OjUH5qI4YmFYzHNmbQyGFHXt4dYDE9juhNsfQLHBuaijqDb
ZAMNk6sHllm55QOIADxUsBEa8AAm5LvGF4PGcPzcL9jJ57qRYm7hqSHpyz7D7v5Z
bvjoA5kwPzKRH7PGDSTBME07eog5lCRil00ZCpp+dWzRtnu/FJdjQLKQfGVsf9i0
oIdJY7hHGnUEyVZsOdKc0EecSgf0KvmtcOnhL5MIuif5U8KHkiZuwuXJeEq2S4cP
IXoRPEOjARyP4BLFxgfWL/dNLgoi2wFf500zkcoW5PjtJOq9rfx3YsfbO9W+aU+k
2vAbEw83dv9LJxxK/Dv+00JLqIVIYxLmgp49LpqICva2Pk1SuRzbL2UQJt1fA6mn
/QTyKGH4hn5B2XGeiyYKdE867RqASaSo6z7sc4REcoIp1PnxCpY=
=77BG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.40
Posted by Coty Sutherland <cs...@redhat.com>.
On Wed, Apr 10, 2019 at 10:58 AM Mark Thomas <ma...@apache.org> wrote:
> The proposed Apache Tomcat 8.5.40 release is now available for voting.
>
> The major changes compared to the 8.5.39 release are:
>
> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
>
> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
> now supported if used with a ECJ version with support for those Java
> versions
>
> - Various NIO2 stability improvements
>
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://ci.apache.org/projects/tomcat/tomcat85/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.40/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1208/
>
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.40
> 5ec070352b283535946327b44228b610a27a76c5
>
>
> The proposed 8.5.40 release is:
> [ ] Broken - do not release
> [x] Stable - go ahead and release as 8.5.40
>
+1
>
>
> Due to the security fix contained in this release, the voting period may
> be shortened once sufficient votes are cast to enable a faster release.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [VOTE][RESULT] Release Apache Tomcat 8.5.40
Posted by Mark Thomas <ma...@apache.org>.
The following votes were cast:
Binding:
+1: markt, isapir, kfujino, violetagg, remm, csutherl
I wasn't sure if Chris's +1 was for the release or just that he agreed
we didn't need another Tomcat-Native release.
Since it doesn't change the result I'm going to err on the side of
caution and not included it.
Thanks to everyone who contributed to this release.
I'll send the announcement out once the mirrors sync.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.40
Posted by Violeta Georgieva <vi...@apache.org>.
На ср, 10.04.2019 г. в 17:58 ч. Mark Thomas <ma...@apache.org> написа:
>
> The proposed Apache Tomcat 8.5.40 release is now available for voting.
>
> The major changes compared to the 8.5.39 release are:
>
> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
>
> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
> now supported if used with a ECJ version with support for those Java
> versions
>
> - Various NIO2 stability improvements
>
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://ci.apache.org/projects/tomcat/tomcat85/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.40/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1208/
>
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.40
> 5ec070352b283535946327b44228b610a27a76c5
>
>
> The proposed 8.5.40 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.40
Regards,
Violeta
>
> Due to the security fix contained in this release, the voting period may
> be shortened once sufficient votes are cast to enable a faster release.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org