You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2023/05/24 08:28:55 UTC
Timing for June releases
Hi all,
OpenSSL has just announced a security fix release for 30 May.
We won't know what the security issues are until then so my tentative
plan is to tag and release Native 1.2.x and 2.0.x on 31 May, release
Native 1.2.x and 2.0.x relatively quickly, update all Tomcat versions to
use the new Native versions and then start the June releases.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Timing for June releases
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 5/30/23 13:14, Mark Thomas wrote:
> On 30/05/2023 16:54, Christopher Schultz wrote:
>> All,
>>
>> On 5/26/23 13:46, Christopher Schultz wrote:
>>> Mark,
>>>
>>> On 5/24/23 04:28, Mark Thomas wrote:
>>>> OpenSSL has just announced a security fix release for 30 May.
>>>>
>>>> We won't know what the security issues are until then so my
>>>> tentative plan is to tag and release Native 1.2.x and 2.0.x on 31
>>>> May, release Native 1.2.x and 2.0.x relatively quickly, update all
>>>> Tomcat versions to use the new Native versions and then start the
>>>> June releases.
>>>>
>>>> Thoughts?
>>>
>>> Sounds good. I can set aside some time on Wednesday morning to roll
>>> 10.1.x and 8.5.x as well.
>>
>> Having read the announcement, I don't think there is a particular rush
>> to get the June release out ASAP.
>>
>> We bundle OpenSSL 1.1.1 with official Tomcat releases and the
>> announcement seems to indicate that 1.1.1 is even less affected than
>> usual.
>
> Tomcat Native 2.x binaries (for Windows) are built with OpenSSL 3.0.x
> Tomcat Native 1.x binaries (for Windows) are built with OpenSSL 1.1.1
>
> It looks like the only risk is if CLIENT-CERT authentication is used and
> even then with the limits OpenSSL has in place the DoS opportunities are
> pretty small.
>
> I'm leaning towards doing a release any way. I should be able to get it
> done later today.
I think I misread your initial email; you were suggesting going a
tcnative release today/tomorrow and then doing the Tomct releases
immediately thereafter. +1 to that plan.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Timing for June releases
Posted by Mark Thomas <ma...@apache.org>.
On 30/05/2023 16:54, Christopher Schultz wrote:
> All,
>
> On 5/26/23 13:46, Christopher Schultz wrote:
>> Mark,
>>
>> On 5/24/23 04:28, Mark Thomas wrote:
>>> OpenSSL has just announced a security fix release for 30 May.
>>>
>>> We won't know what the security issues are until then so my tentative
>>> plan is to tag and release Native 1.2.x and 2.0.x on 31 May, release
>>> Native 1.2.x and 2.0.x relatively quickly, update all Tomcat versions
>>> to use the new Native versions and then start the June releases.
>>>
>>> Thoughts?
>>
>> Sounds good. I can set aside some time on Wednesday morning to roll
>> 10.1.x and 8.5.x as well.
>
> Having read the announcement, I don't think there is a particular rush
> to get the June release out ASAP.
>
> We bundle OpenSSL 1.1.1 with official Tomcat releases and the
> announcement seems to indicate that 1.1.1 is even less affected than usual.
Tomcat Native 2.x binaries (for Windows) are built with OpenSSL 3.0.x
Tomcat Native 1.x binaries (for Windows) are built with OpenSSL 1.1.1
It looks like the only risk is if CLIENT-CERT authentication is used and
even then with the limits OpenSSL has in place the DoS opportunities are
pretty small.
I'm leaning towards doing a release any way. I should be able to get it
done later today.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Timing for June releases
Posted by Christopher Schultz <ch...@christopherschultz.net>.
All,
On 5/26/23 13:46, Christopher Schultz wrote:
> Mark,
>
> On 5/24/23 04:28, Mark Thomas wrote:
>> OpenSSL has just announced a security fix release for 30 May.
>>
>> We won't know what the security issues are until then so my tentative
>> plan is to tag and release Native 1.2.x and 2.0.x on 31 May, release
>> Native 1.2.x and 2.0.x relatively quickly, update all Tomcat versions
>> to use the new Native versions and then start the June releases.
>>
>> Thoughts?
>
> Sounds good. I can set aside some time on Wednesday morning to roll
> 10.1.x and 8.5.x as well.
Having read the announcement, I don't think there is a particular rush
to get the June release out ASAP.
We bundle OpenSSL 1.1.1 with official Tomcat releases and the
announcement seems to indicate that 1.1.1 is even less affected than usual.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Timing for June releases
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 5/24/23 04:28, Mark Thomas wrote:
> OpenSSL has just announced a security fix release for 30 May.
>
> We won't know what the security issues are until then so my tentative
> plan is to tag and release Native 1.2.x and 2.0.x on 31 May, release
> Native 1.2.x and 2.0.x relatively quickly, update all Tomcat versions to
> use the new Native versions and then start the June releases.
>
> Thoughts?
Sounds good. I can set aside some time on Wednesday morning to roll
10.1.x and 8.5.x as well.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Timing for June releases
Posted by Rémy Maucherat <re...@apache.org>.
On Wed, May 24, 2023 at 10:29 AM Mark Thomas <ma...@apache.org> wrote:
>
> Hi all,
>
> OpenSSL has just announced a security fix release for 30 May.
>
> We won't know what the security issues are until then so my tentative
> plan is to tag and release Native 1.2.x and 2.0.x on 31 May, release
> Native 1.2.x and 2.0.x relatively quickly, update all Tomcat versions to
> use the new Native versions and then start the June releases.
>
> Thoughts?
+1
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Timing for June releases
Posted by Han Li <li...@apache.org>.
> On May 24, 2023, at 16:28, Mark Thomas <ma...@apache.org> wrote:
>
> Hi all,
>
> OpenSSL has just announced a security fix release for 30 May.
>
> We won't know what the security issues are until then so my tentative plan is to tag and release Native 1.2.x and 2.0.x on 31 May, release Native 1.2.x and 2.0.x relatively quickly, update all Tomcat versions to use the new Native versions and then start the June releases.
>
> Thoughts?
+1
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org