2016-05-03 17:53 GMT+03:00 Mark Thomas <[email protected]>: > Hi, > > OpenSSL have released the details of the security fixed in 1.0.2h. I've > looked through them quickly and it looks like at least CVE-2016-2107 is > applicable to Tomcat-Native. > > Given that I haven't got 9.0.x to the point where it is ready to release > and that it is likely to take a couple more days to do that (mainly > because of https://bz.apache.org/bugzilla/show_bug.cgi?id=59226), I > propose to do the following: > > Update Tomcat-Native to reference 1.0.2h (possibly the only change since > 1.2.6) and tag 1.2.7. I should be able to do that later today. By the > time the release vote for that has finished, I should be in a position > to tag 9.0.x and can pick up the new Tomcat-Native just before I tag.
+1. Native 1.2.6 had wrong VERSIONS file (at the root of binary *.zip files, at native/srclib/VERSIONS in source archives) saying APR 1.5.1, while 1.5.2 was actually used. > If all goes to plan, we should have a 9.0.x release around the middle of > next week. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
