[VOTE][CANCELLED] Release Apache Tomcat Native 2.0.0

[Mark Thomas <ma...@apache.org>]

On 04/07/2022 13:57, Rémy Maucherat wrote:
> On Mon, Jul 4, 2022 at 2:50 PM Mark Thomas <ma...@apache.org> wrote:
>>
>> Hi all,
>>
>> OpenSSL has announced a 3.0.5 release is scheduled for tomorrow that
>> will include security fixes. Depending on the details of those fixes we
>> may need a 2.0.1 release. (And a 1.2.x release.)
>>
>> We currently have 2 PMC votes for this release so we are 1 vote short.
>> There is an argument for proceeding with this release anyway (if it gets
>> another vote) - folks can always build 2.0.0 from source with their
>> chosen version of OpenSSL.
>>
>> My current plan is wait to see if 2.0.0 gets any further votes and to
>> wait for the details of the OpenSSL security issues and then decide what
>> to do.

Two vulnerabilities were announced:

CVE-2022-2097 doesn't affect TLS so doesn't impact on Tomcat Native's 
use of OpenSSL.

CVE-2022-2274 does affect TLS so does impact on Tomcat Native's use of 
OpenSSL. It only affects 3.0.4 which means the binaries for Windows 
included in the 2.0.0 release are affected but 1.2.x is unaffected.

I have therefore cancelled this 2.0.0 release and will tag 2.0.1 shortly 
and start a release vote.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org