On Thu, May 22, 2025 at 9:13 AM Mark Thomas <[email protected]> wrote: > > All, > > The last Tomcat Native releases were in July 2024. The Windows binaries > were built with 3.0.14. > > There are some low severity CVEs in 3.0.14 that we don't believe apply > to Tomcat's usage of OpenSSL but that may trigger a security scanner. > > There is a new OpenSSL LTS branch, 3.5.x, that includes support for Post > Quantum Cryptography. > > I'd like to get a new round of Tomcat Native releases made where the > Windows binaries are built with 3.5.x. > > My question is does this need a version bump? I'm thinking not as I'm > not planning on changing the minimum OpenSSL version and these are > convenience binaries. > > Any objections?
+1 Fedora 42 is still on OpenSSL 3.2, so it will take one more upgrade cycle for people to actually upgrade to 3.5, unless they are rushing it. Rémy > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
