вт, 31 янв. 2023 г. в 20:52, Mark Thomas <ma...@apache.org>: > > Hi all, > > As I started to think about preparing for the February release round, I > received the notification from the OpenSSL project that they have a > security release planned for a week today. That security release may (or > may not) trigger a Tomcat Native release.
1. A mail on OpenSSL announcements mail list says: "on Tuesday 7th February 2023 between 1300-1700 UTC." https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html 2. There were releases of APR 1.7.1, and of APR Utils a day ago. CVE-2022-28331 fixed in APR 1.7.1 mentions "apr_socket_sendv()", and that function is used in Tomcat Native 1.2.x (and not used in Tomcat Native 2.0.x). Current Tomcat Native binaries are built with APR 1.7.0. Thus I think releases of both 1.2.x and 2.0.x branches will be needed. > I was wondering whether to delay the February release round in case we > need to pick up an new Tomcat Native release. It really only affects > Windows users since everyone else builds their own Tomcat Native > library. In the Windows case it is trivial to update the library if > required so I'm not sure if it merits delaying the releases... > > Thoughts? I am available to test and vote for Tomcat 8.5 and 9.0. I have no plans for Tomcat 10.1 and 11 now. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
