On 04/07/2022 13:57, Rémy Maucherat wrote:
On Mon, Jul 4, 2022 at 2:50 PM Mark Thomas <ma...@apache.org> wrote:
Hi all,
OpenSSL has announced a 3.0.5 release is scheduled for tomorrow that
will include security fixes. Depending on the details of those fixes we
may need a 2.0.1 release. (And a 1.2.x release.)
We currently have 2 PMC votes for this release so we are 1 vote short.
There is an argument for proceeding with this release anyway (if it gets
another vote) - folks can always build 2.0.0 from source with their
chosen version of OpenSSL.
My current plan is wait to see if 2.0.0 gets any further votes and to
wait for the details of the OpenSSL security issues and then decide what
to do.
Two vulnerabilities were announced:
CVE-2022-2097 doesn't affect TLS so doesn't impact on Tomcat Native's
use of OpenSSL.
CVE-2022-2274 does affect TLS so does impact on Tomcat Native's use of
OpenSSL. It only affects 3.0.4 which means the binaries for Windows
included in the 2.0.0 release are affected but 1.2.x is unaffected.
I have therefore cancelled this 2.0.0 release and will tag 2.0.1 shortly
and start a release vote.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
