2015-12-04 14:41 GMT+01:00 Mark Thomas <ma...@apache.org>: > On 04/12/2015 12:38, Rémy Maucherat wrote: > > 2015-12-04 12:42 GMT+01:00 Mark Thomas <ma...@apache.org>: > > > >> Give the recent OpenSSL vulnerability announcements [1], I was planning > >> on starting a tomcat-native 1.2.3 release to provide an updated Windows > >> binary. > >> > >> There are a few fixes in trunk since 1.2.2. I'll get the changelog > updated. > >> > > > > Sorry, I guess everyone forgot there's a changelog there as well. > > No problem. > > >> I'm currently planning on tagging this on Tuesday 8th Dec. We can > >> probably afford to wait a couple of days if anyone wants to get anything > >> else into a 1.2.3 release. > >> > >> On a related topic, what are people's views on switching 6.0.x, 7.0.x > >> and 8.0.x to 1.2.x rather than 1.1.x? > >> > > I am investigating an issue where SSL.getPeerCertificate always returns > > null (for whatever reason), which may need some fixes, so it's not > certain > > renegotiation works at the moment (although it looks like it). Hopefully > > this will be sorted out to be included in the tag. > > I'm happy to wait if necessary. >
No need to wait, it's a security issue. > > > About forcing an update to 1.2.x for all branches, I'm not convinced at > the > > moment. > > I'm just trying to avoid having to release 1.1.x and 1.2.x. > > Ok, that makes sense. Since we fixed the regressions that have been reported so far, it's supposed to be possible. Still risky though, but it can be attempted. Rémy
