[RESULT][VOTE] Release Apache Tomcat 6.0.43
The following votes were cast: Binding: +1: markt, kkolinko, violetagg, jfclere Non-binding: +1: Andrew Carr This vote therefore passes. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.43
Chris, Thanks for the response. I didn't understand the nope at the bottom. Was it in reference to the Java 8 documentation or the screenshot? If it was the screenshot, it is attached to my email, but maybe the mailing list removed it? http://snag.gy/lcyLt.jpg -Andrew On Thu, Nov 20, 2014 at 3:54 PM, Christopher Schultz ch...@christopherschultz.net wrote: Andrew, On 11/19/14 2:47 AM, Andrew Carr wrote: If you review the Tomcat 6 documentation here: https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support , you will see sslEnabledProtocols. On the desc. for that setting there are links for Java 6 and Java 7 protocol lists, and they both include SSLv2. Not nitpicking here, just know that I saw it. I was looking at the TC 6 - Java 6 / 7 documentation because I was working with Tomcat 6 and Java 7. Fair enough. Two thoughts: 1. This is not a regression; it would have happened to any previous Tomcat 6.x with this JVM version 2. Nobody cares about SSLv2 and it's good that new JVMs will fail to configure a socket with that protocol enabled I understand it is not in the Java 8 documentation. I attached a screenshot. Nope. -chris On Tue, Nov 18, 2014 at 3:55 PM, Christopher Schultz ch...@christopherschultz.net mailto:ch...@christopherschultz.net wrote: Andrew, On 11/18/14 2:58 PM, Andrew Carr wrote: Chris, Thank you for the response. I will include the full stack trace next time. Note that, like polio, SSLv2 has been wiped from the face of the planet. This is not an error. This will not impact anyone of consequence. You may be looking for SSLv2Hello. -chirs You said that I might be looking for SSLv2Hello, but I am not. My point is not the use of SSLv2 because it would be wise, but the fact that the list of protocols on the Oracle page includes SSLv2. It most certainly *does not*: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider SSLv2 is dead, dead, dead. This list is referred to by the tomcat configuration documentation, which would lead someone to believe this is a valid setting. Maybe we just add a note about SSLv2? There are notes everywhere that SSLv2 is not trusted. Maybe it's not important? Not really. Anyone wanting to use SSLv2 should experience abject failure. -chris -- With Regards, Andrew Carr e. andrewlanec...@gmail.com mailto:andrewlanec...@gmail.com w. andrew.c...@openlogic.com mailto:andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
Andrew, On 11/19/14 2:47 AM, Andrew Carr wrote: If you review the Tomcat 6 documentation here: https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support , you will see sslEnabledProtocols. On the desc. for that setting there are links for Java 6 and Java 7 protocol lists, and they both include SSLv2. Not nitpicking here, just know that I saw it. I was looking at the TC 6 - Java 6 / 7 documentation because I was working with Tomcat 6 and Java 7. Fair enough. Two thoughts: 1. This is not a regression; it would have happened to any previous Tomcat 6.x with this JVM version 2. Nobody cares about SSLv2 and it's good that new JVMs will fail to configure a socket with that protocol enabled I understand it is not in the Java 8 documentation. I attached a screenshot. Nope. -chris On Tue, Nov 18, 2014 at 3:55 PM, Christopher Schultz ch...@christopherschultz.net mailto:ch...@christopherschultz.net wrote: Andrew, On 11/18/14 2:58 PM, Andrew Carr wrote: Chris, Thank you for the response. I will include the full stack trace next time. Note that, like polio, SSLv2 has been wiped from the face of the planet. This is not an error. This will not impact anyone of consequence. You may be looking for SSLv2Hello. -chirs You said that I might be looking for SSLv2Hello, but I am not. My point is not the use of SSLv2 because it would be wise, but the fact that the list of protocols on the Oracle page includes SSLv2. It most certainly *does not*: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider SSLv2 is dead, dead, dead. This list is referred to by the tomcat configuration documentation, which would lead someone to believe this is a valid setting. Maybe we just add a note about SSLv2? There are notes everywhere that SSLv2 is not trusted. Maybe it's not important? Not really. Anyone wanting to use SSLv2 should experience abject failure. -chris -- With Regards, Andrew Carr e. andrewlanec...@gmail.com mailto:andrewlanec...@gmail.com w. andrew.c...@openlogic.com mailto:andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
Re: [VOTE] Release Apache Tomcat 6.0.43
On 11/14/2014 11:42 AM, Mark Thomas wrote: [X] Stable - go ahead and release as 6.0.43 Stable My tests are passing. Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.43
Andrew, On 11/17/14 2:26 PM, Andrew Carr wrote: +1 stable for me However, and I don't know if this is a game changer, I am having a problem when implementing SSL using the NIOConnector, althought the problem does not look like a Tomcat source problem. I did verify that disabling SSLv3 does indeed prevent a client from connecting to the server with SSLv3 protocol, however, when setting it to SSLv2 I am receiving an Illegal Arg exception... Looks like this would be on the Java side, should I log it? SSLv2 is a valid option according to the Java documnetation. Nov 17, 2014 2:19:35 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164) Please provide the remainder of the stack trace next time. Based on this though I think I should log the error with Oracle? I was using JDK 7, and I based SSLv2 being valid from the protocol list here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames Note that, like polio, SSLv2 has been wiped from the face of the planet. This is not an error. This will not impact anyone of consequence. You may be looking for SSLv2Hello. -chirs signature.asc Description: OpenPGP digital signature
Re: [VOTE] Release Apache Tomcat 6.0.43
Chris, Thank you for the response. I will include the full stack trace next time. Note that, like polio, SSLv2 has been wiped from the face of the planet. This is not an error. This will not impact anyone of consequence. You may be looking for SSLv2Hello. -chirs You said that I might be looking for SSLv2Hello, but I am not. My point is not the use of SSLv2 because it would be wise, but the fact that the list of protocols on the Oracle page includes SSLv2. This list is referred to by the tomcat configuration documentation, which would lead someone to believe this is a valid setting. Maybe we just add a note about SSLv2? Maybe it's not important? -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
2014-11-17 22:26 GMT+03:00 Andrew Carr andrewlanec...@gmail.com: +1 stable for me However, and I don't know if this is a game changer, I am having a problem when implementing SSL using the NIOConnector, althought the problem does not look like a Tomcat source problem. I did verify that disabling SSLv3 does indeed prevent a client from connecting to the server with SSLv3 protocol, however, when setting it to SSLv2 I am receiving an Illegal Arg exception... Looks like this would be on the Java side, should I log it? SSLv2 is a valid option according to the Java documnetation. Nov 17, 2014 2:19:35 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164) Based on this though I think I should log the error with Oracle? I was using JDK 7, and I based SSLv2 being valid from the protocol list here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames -Andrew Full Exception: Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164) at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84) at sun.security.ssl.ProtocolList.init(ProtocolList.java:52) I think that is just Sun/Oracle's way to remove support for SSLv2. There is nothing that Tomcat devs can do about. That standard names page is just a general reference. Specific JRE vendors may implement a subset/superset of it. E.g. if you follow Note: The Sun Provider Documentation contains specific provider and algorithm information. link at the top of the page, you come here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html and there is no SSLv2 on that second page. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.43
Thanks Konstantin On Tue, Nov 18, 2014 at 3:09 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: 2014-11-17 22:26 GMT+03:00 Andrew Carr andrewlanec...@gmail.com: +1 stable for me However, and I don't know if this is a game changer, I am having a problem when implementing SSL using the NIOConnector, althought the problem does not look like a Tomcat source problem. I did verify that disabling SSLv3 does indeed prevent a client from connecting to the server with SSLv3 protocol, however, when setting it to SSLv2 I am receiving an Illegal Arg exception... Looks like this would be on the Java side, should I log it? SSLv2 is a valid option according to the Java documnetation. Nov 17, 2014 2:19:35 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164) Based on this though I think I should log the error with Oracle? I was using JDK 7, and I based SSLv2 being valid from the protocol list here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames -Andrew Full Exception: Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164) at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84) at sun.security.ssl.ProtocolList.init(ProtocolList.java:52) I think that is just Sun/Oracle's way to remove support for SSLv2. There is nothing that Tomcat devs can do about. That standard names page is just a general reference. Specific JRE vendors may implement a subset/superset of it. E.g. if you follow Note: The Sun Provider Documentation contains specific provider and algorithm information. link at the top of the page, you come here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html and there is no SSLv2 on that second page. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
Andrew, On 11/18/14 2:58 PM, Andrew Carr wrote: Chris, Thank you for the response. I will include the full stack trace next time. Note that, like polio, SSLv2 has been wiped from the face of the planet. This is not an error. This will not impact anyone of consequence. You may be looking for SSLv2Hello. -chirs You said that I might be looking for SSLv2Hello, but I am not. My point is not the use of SSLv2 because it would be wise, but the fact that the list of protocols on the Oracle page includes SSLv2. It most certainly *does not*: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider SSLv2 is dead, dead, dead. This list is referred to by the tomcat configuration documentation, which would lead someone to believe this is a valid setting. Maybe we just add a note about SSLv2? There are notes everywhere that SSLv2 is not trusted. Maybe it's not important? Not really. Anyone wanting to use SSLv2 should experience abject failure. -chris signature.asc Description: OpenPGP digital signature
Re: [VOTE] Release Apache Tomcat 6.0.43
If you review the Tomcat 6 documentation here: https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support , you will see sslEnabledProtocols. On the desc. for that setting there are links for Java 6 and Java 7 protocol lists, and they both include SSLv2. Not nitpicking here, just know that I saw it. I was looking at the TC 6 - Java 6 / 7 documentation because I was working with Tomcat 6 and Java 7. I understand it is not in the Java 8 documentation. I attached a screenshot. On Tue, Nov 18, 2014 at 3:55 PM, Christopher Schultz ch...@christopherschultz.net wrote: Andrew, On 11/18/14 2:58 PM, Andrew Carr wrote: Chris, Thank you for the response. I will include the full stack trace next time. Note that, like polio, SSLv2 has been wiped from the face of the planet. This is not an error. This will not impact anyone of consequence. You may be looking for SSLv2Hello. -chirs You said that I might be looking for SSLv2Hello, but I am not. My point is not the use of SSLv2 because it would be wise, but the fact that the list of protocols on the Oracle page includes SSLv2. It most certainly *does not*: https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider SSLv2 is dead, dead, dead. This list is referred to by the tomcat configuration documentation, which would lead someone to believe this is a valid setting. Maybe we just add a note about SSLv2? There are notes everywhere that SSLv2 is not trusted. Maybe it's not important? Not really. Anyone wanting to use SSLv2 should experience abject failure. -chris -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.43
+1 stable Regards, Violeta На петък, 14 ноември 2014 г. Mark Thomas ma...@apache.org написа: The proposed Apache Tomcat 6.0.43 release is now available for voting. The key changes since 6.0.41 are: - Disable SSLv3 by default in light of the recently announced POODLE vulnerability. (CVE-2014-3566) - Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. - Various fixes to EL parsing when EL is used in a JSP. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1027/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/ The proposed 6.0.43 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 6.0.43 Stable - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org javascript:; For additional commands, e-mail: dev-h...@tomcat.apache.org javascript:;
Re: [VOTE] Release Apache Tomcat 6.0.43
+1 stable for me However, and I don't know if this is a game changer, I am having a problem when implementing SSL using the NIOConnector, althought the problem does not look like a Tomcat source problem. I did verify that disabling SSLv3 does indeed prevent a client from connecting to the server with SSLv3 protocol, however, when setting it to SSLv2 I am receiving an Illegal Arg exception... Looks like this would be on the Java side, should I log it? SSLv2 is a valid option according to the Java documnetation. Nov 17, 2014 2:19:35 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164) Based on this though I think I should log the error with Oracle? I was using JDK 7, and I based SSLv2 being valid from the protocol list here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames -Andrew Full Exception: Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164) at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84) at sun.security.ssl.ProtocolList.init(ProtocolList.java:52) at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2023) at org.apache.tomcat.util.net.NioEndpoint.createSSLEngine(NioEndpoint.java:1144) at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:1097) at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:1322) at java.lang.Thread.run(Thread.java:745) Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 On Mon, Nov 17, 2014 at 5:39 AM, Violeta Georgieva miles...@gmail.com wrote: +1 stable Regards, Violeta На петък, 14 ноември 2014 г. Mark Thomas ma...@apache.org написа: The proposed Apache Tomcat 6.0.43 release is now available for voting. The key changes since 6.0.41 are: - Disable SSLv3 by default in light of the recently announced POODLE vulnerability. (CVE-2014-3566) - Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. - Various fixes to EL parsing when EL is used in a JSP. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1027/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/ The proposed 6.0.43 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 6.0.43 Stable - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org javascript:; For additional commands, e-mail: dev-h...@tomcat.apache.org javascript:; -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
Team, I can see this SSlv2 setting impacting the Tomcat community. If someone explicity sets SSLv2 in the sslEnabledProtocols setting their Tomcat SSL connector will not work properly. The error does not occur on *startup*, but occurs when a user tries to access the SSL connector. -Andrew On Mon, Nov 17, 2014 at 2:26 PM, Andrew Carr andrewlanec...@gmail.com wrote: +1 stable for me However, and I don't know if this is a game changer, I am having a problem when implementing SSL using the NIOConnector, althought the problem does not look like a Tomcat source problem. I did verify that disabling SSLv3 does indeed prevent a client from connecting to the server with SSLv3 protocol, however, when setting it to SSLv2 I am receiving an Illegal Arg exception... Looks like this would be on the Java side, should I log it? SSLv2 is a valid option according to the Java documnetation. Nov 17, 2014 2:19:35 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164) Based on this though I think I should log the error with Oracle? I was using JDK 7, and I based SSLv2 being valid from the protocol list here: https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames -Andrew Full Exception: Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 at sun.security.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:164) at sun.security.ssl.ProtocolList.convert(ProtocolList.java:84) at sun.security.ssl.ProtocolList.init(ProtocolList.java:52) at sun.security.ssl.SSLEngineImpl.setEnabledProtocols(SSLEngineImpl.java:2023) at org.apache.tomcat.util.net.NioEndpoint.createSSLEngine(NioEndpoint.java:1144) at org.apache.tomcat.util.net.NioEndpoint.setSocketOptions(NioEndpoint.java:1097) at org.apache.tomcat.util.net.NioEndpoint$Acceptor.run(NioEndpoint.java:1322) at java.lang.Thread.run(Thread.java:745) Nov 17, 2014 2:20:42 PM org.apache.tomcat.util.net.NioEndpoint setSocketOptions SEVERE: java.lang.IllegalArgumentException: SSLv2 On Mon, Nov 17, 2014 at 5:39 AM, Violeta Georgieva miles...@gmail.com wrote: +1 stable Regards, Violeta На петък, 14 ноември 2014 г. Mark Thomas ma...@apache.org написа: The proposed Apache Tomcat 6.0.43 release is now available for voting. The key changes since 6.0.41 are: - Disable SSLv3 by default in light of the recently announced POODLE vulnerability. (CVE-2014-3566) - Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. - Various fixes to EL parsing when EL is used in a JSP. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1027/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/ The proposed 6.0.43 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 6.0.43 Stable - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org javascript:; For additional commands, e-mail: dev-h...@tomcat.apache.org javascript:; -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743 -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743
Re: [VOTE] Release Apache Tomcat 6.0.43
2014-11-14 13:42 GMT+03:00 Mark Thomas ma...@apache.org: The proposed Apache Tomcat 6.0.43 release is now available for voting. The key changes since 6.0.41 are: - Disable SSLv3 by default in light of the recently announced POODLE vulnerability. (CVE-2014-3566) - Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. - Various fixes to EL parsing when EL is used in a JSP. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1027/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/ The proposed 6.0.43 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 6.0.43 Stable [x] Stable - go ahead and release as 6.0.43 Stable Smoke testing is OK. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[VOTE] Release Apache Tomcat 6.0.43
The proposed Apache Tomcat 6.0.43 release is now available for voting. The key changes since 6.0.41 are: - Disable SSLv3 by default in light of the recently announced POODLE vulnerability. (CVE-2014-3566) - Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. - Various fixes to EL parsing when EL is used in a JSP. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1027/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/ The proposed 6.0.43 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 6.0.43 Stable - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 6.0.43
On 14/11/2014 10:42, Mark Thomas wrote: The proposed Apache Tomcat 6.0.43 release is now available for voting. The key changes since 6.0.41 are: - Disable SSLv3 by default in light of the recently announced POODLE vulnerability. (CVE-2014-3566) - Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. - Various fixes to EL parsing when EL is used in a JSP. It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-6/v6.0.43/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1027/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/TOMCAT_6_0_43/ The proposed 6.0.43 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 6.0.43 Stable Servlet 2.5 and JSP 2.1 TCKs pass. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org