Re: Potential mention on the website

2022-03-31 Thread David Blevins 
> On Mar 31, 2022, at 12:13 PM, Christopher Schultz 
>  wrote:
> 
> Mark,
> 
> On 3/29/22 19:40, Mark Thomas wrote:
>> I worry that putting much more than a simple link on the which version page 
>> could cause confusion. Something like:
>> "For users wanting a Java EE / Jakarta EE container that supports additional 
>> specifications like XXX see Apache TomEE."
> 
> +1
> 
>> My preference is for a new menu item - probably under misc - called "Related 
>> Apache Projects" (a shorter, snappier title preferred) where we can link to 
>> the various ASF projects related to Tomcat and have a paragraph or two on 
>> each project.
> 
> I like this. What else might qualify? If it's really only TomEE (and flavors 
> thereof), we could name that section "Enterprise .. something".
> 
>> Off the top of my head, there is Ant (initially created to build Tomcat), 
>> Commons Pool, DBCP, Modeler, Daemon (all spun off from Tomcat), httpd, TomEE 
>> and probably a bunch I have forgotten about.
> 
> Digester, another Tomcat graduate.
> 
> Other than TomEE (and httpd), those are all dependencies / upstream from 
> Tomcat, which IMO puts TomEE in a slightly different bucket. I would say that 
> httpd isn't really "related" to Tomcat other than (a) they are both ASF 
> projects and (b) they are both web servers. But there's also ATS, ATC and 
> probably one or two other web servers under ASF umbrella I haven't heard of 
> yet.

On httpd, I know a very large number of Tomcat/TomEE users I see in the wild 
use httpd in front for load balancing.

I think a related projects page could be pretty great if we:

 - Mentioned why it is potentially interesting to Tomcat users and provided a 
pointer or two.  I.e. treat it as documentation, not just a list of links.  The 
section would still have to be brief -- no taking up a whole or even half a 
page.

 - Gave people a reason to look at it by linking to in other sections of the 
website beyond the left nav.  It would be context dependent.  For example, if 
we're talking about load balancing, we mention httpd and link to 
https://tomcat.apache.org/related.html#httpd.  The whichversion.html could have 
the one sentence that mentions TomEE as a way to get more Jakarta EE impls on 
Tomcat out-of-the-box and link to https://tomcat.apache.org/related.html#tomee

Could be a nice balance.  We could still mention things like TomEE where 
needed, but they'd be going to a page with a great big "related projects" title 
and a clear statement these are external projects, which would allow us to give 
a bit more information on why it's useful for Tomcat people without potentially 
confusing people in thinking it's a Tomcat thing.

Thoughts?


-David



smime.p7s
Description: S/MIME cryptographic signature

Re: [VOTE] Release Apache Tomcat 8.5.78

2022-03-31 Thread Rémy Maucherat 
On Thu, Mar 31, 2022 at 11:14 PM Christopher Schultz
 wrote:
>
> Mark,
>
> Thanks for RMing. I hope I didn't break your 8.5.78 git tag. I was 2.5
> hours later than you, and didn't realize you had already rolled the release.

It looks fine: https://github.com/apache/tomcat/tree/8.5.78

Rémy

> Mark, there are two signature files missing from the release artifacts,
> detailed below. Can you check on those?
>
> On 3/31/22 12:54, Mark Thomas wrote:
> > The proposed Apache Tomcat 8.5.78 release is now available for voting.
> >
> > The notable changes compared to 8.5.77 are:
> >
> > - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> > pick up Windows binaries built with OpenSSL 1.1.1n.
> >
> > - Improve logging of unknown HTTP/2 settings frames. Pull request by
> > Thomas Hoffmann.
> >
> > - Add additional warnings if incompatible TLS configurations are used
> > such as HTTP/2 with CLIENT-CERT authentication
> >
> > - Harden the class loader to provide a mitigation for CVE-2022-22965
> > a Spring Framework vulnerability
> >
> > Along with lots of other bug fixes and improvements.
> >
> > This is the third release of Tomcat 8.5 that has been built with Java 11
> > (in Java 7 mode) instead of Java 7. Please report any strangeness you
> > may observe especially if you are running Tomcat 8.5 in an environment
> > using Java < 11. We don't expect any issues, but understand that we
> > cannot test all possible environmental configurations.
> >
> > For full details, see the changelog:
> > https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
> >
> > It can be obtained from:
> > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
> > The Maven staging repo is:
> > https://repository.apache.org/content/repositories/orgapachetomcat-1370
> > The tag is:
> > https://github.com/apache/tomcat/tree/8.5.78
> > f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
> >
> > The proposed 8.5.78 release is:
> > [ ] Broken - do not release
> > [X] Stable - go ahead and release as 8.5.78 (stable)
>
> Works on a vanilla servlet-based web application in a testing environment.
>
> Unit tests pass on Debian Linux and MacOS Big Sur.
>
> Note: the files apache-tomcat-8.5.78.zip.asc and
> apache-tomcat-8.5.78.tar.gz.asc were expected but missing.
>
> Details:
> * Environment
> *  Java (build): openjdk version "1.8.0_292" OpenJDK Runtime
> Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit
> Server VM (build 25.292-b10, mixed mode)
> *  Java (test): openjdk version "1.8.0_292" OpenJDK Runtime
> Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit
> Server VM (build 25.292-b10, mixed mode)
> *  OS:   Linux 4.19.0-18-amd64 x86_64
> *  cc:   cc (Debian 8.3.0-6) 8.3.0
> *  make: GNU Make 4.2.1
> *  OpenSSL:  OpenSSL 1.1.1 11 Sep 2018
> *  APR:  1.6.5
> *
> * Valid SHA-512 signature for apache-tomcat-8.5.78.zip
> * !! Invalid GPG signature for apache-tomcat-8.5.78.zip
> * Valid SHA-512 signature for apache-tomcat-8.5.78.tar.gz
> * !! Invalid GPG signature for apache-tomcat-8.5.78.tar.gz
> * Valid SHA-512 signature for apache-tomcat-8.5.78.exe
> * Valid GPG signature for apache-tomcat-8.5.78.exe
> * Valid Windows Digital Signature for apache-tomcat-8.5.78.exe
> * Valid SHA512 signature for apache-tomcat-8.5.78-src.zip
> * Valid GPG signature for apache-tomcat-8.5.78-src.zip
> * Valid SHA512 signature for apache-tomcat-8.5.78-src.tar.gz
> * Valid GPG signature for apache-tomcat-8.5.78-src.tar.gz
> *
> * Binary Zip and tarball: Same
> * Source Zip and tarball: Same
> *
> * Building dependencies returned: 0
> * tcnative builds cleanly
> * Tomcat builds cleanly
> * Junit Tests: PASSED
>
> -chris
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.78

2022-03-31 Thread Christopher Schultz 

Mark,

Thanks for RMing. I hope I didn't break your 8.5.78 git tag. I was 2.5 
hours later than you, and didn't realize you had already rolled the release.


Mark, there are two signature files missing from the release artifacts, 
detailed below. Can you check on those?


On 3/31/22 12:54, Mark Thomas wrote:

The proposed Apache Tomcat 8.5.78 release is now available for voting.

The notable changes compared to 8.5.77 are:

- Update the packaged version of the Tomcat Native Library to 1.2.32 to
    pick up Windows binaries built with OpenSSL 1.1.1n.

- Improve logging of unknown HTTP/2 settings frames. Pull request by
    Thomas Hoffmann.

- Add additional warnings if incompatible TLS configurations are used
    such as HTTP/2 with CLIENT-CERT authentication

- Harden the class loader to provide a mitigation for CVE-2022-22965
    a Spring Framework vulnerability

Along with lots of other bug fixes and improvements.

This is the third release of Tomcat 8.5 that has been built with Java 11 
(in Java 7 mode) instead of Java 7. Please report any strangeness you 
may observe especially if you are running Tomcat 8.5 in an environment 
using Java < 11. We don't expect any issues, but understand that we 
cannot test all possible environmental configurations.


For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1370
The tag is:
https://github.com/apache/tomcat/tree/8.5.78
f732d3aa5ca55eb07cb73d9ec2b585330f80f00b

The proposed 8.5.78 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 8.5.78 (stable)


Works on a vanilla servlet-based web application in a testing environment.

Unit tests pass on Debian Linux and MacOS Big Sur.

Note: the files apache-tomcat-8.5.78.zip.asc and 
apache-tomcat-8.5.78.tar.gz.asc were expected but missing.


Details:
* Environment
*  Java (build): openjdk version "1.8.0_292" OpenJDK Runtime 
Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit 
Server VM (build 25.292-b10, mixed mode)
*  Java (test): openjdk version "1.8.0_292" OpenJDK Runtime 
Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit 
Server VM (build 25.292-b10, mixed mode)

*  OS:   Linux 4.19.0-18-amd64 x86_64
*  cc:   cc (Debian 8.3.0-6) 8.3.0
*  make: GNU Make 4.2.1
*  OpenSSL:  OpenSSL 1.1.1 11 Sep 2018
*  APR:  1.6.5
*
* Valid SHA-512 signature for apache-tomcat-8.5.78.zip
* !! Invalid GPG signature for apache-tomcat-8.5.78.zip
* Valid SHA-512 signature for apache-tomcat-8.5.78.tar.gz
* !! Invalid GPG signature for apache-tomcat-8.5.78.tar.gz
* Valid SHA-512 signature for apache-tomcat-8.5.78.exe
* Valid GPG signature for apache-tomcat-8.5.78.exe
* Valid Windows Digital Signature for apache-tomcat-8.5.78.exe
* Valid SHA512 signature for apache-tomcat-8.5.78-src.zip
* Valid GPG signature for apache-tomcat-8.5.78-src.zip
* Valid SHA512 signature for apache-tomcat-8.5.78-src.tar.gz
* Valid GPG signature for apache-tomcat-8.5.78-src.tar.gz
*
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
*
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: PASSED

-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r53489 [1/2] - in /dev/tomcat/tomcat-8/v8.5.78: ./ bin/ bin/embed/ bin/extras/ src/

2022-03-31 Thread Konstantin Kolinko 
чт, 31 мар. 2022 г. в 19:50, :
>
> Author: markt
> Date: Thu Mar 31 16:50:19 2022
> New Revision: 53489
>
> Log:
> Upload 8.5.78 for voting
>
> Added:
> dev/tomcat/tomcat-8/v8.5.78/
> dev/tomcat/tomcat-8/v8.5.78/KEYS
> dev/tomcat/tomcat-8/v8.5.78/README.html
> dev/tomcat/tomcat-8/v8.5.78/RELEASE-NOTES
> dev/tomcat/tomcat-8/v8.5.78/bin/
> dev/tomcat/tomcat-8/v8.5.78/bin/README.html
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.tar.gz   
> (with props)
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.tar.gz.asc
> 
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.tar.gz.sha512
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.zip   (with 
> props)
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.zip.asc
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.zip.sha512
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-fulldocs.tar.gz   
> (with props)
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-fulldocs.tar.gz.asc
> 
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-fulldocs.tar.gz.sha512
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x64.zip   
> (with props)
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x64.zip.asc
> 
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x64.zip.sha512
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x86.zip   
> (with props)
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x86.zip.asc
> 
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x86.zip.sha512
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.exe   (with props)
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.exe.asc
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.exe.sha512
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.tar.gz   (with props)
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.tar.gz.sha512
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.zip   (with props)
> dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.zip.sha512

*.asc files are missing for .zip and .tar.gz above.

The same issue as for 10.1.0-M14 RC.

10.0.20 and 9.0.62 are OK

Best regards,
Konstantin Kolinko

> dev/tomcat/tomcat-8/v8.5.78/bin/embed/
> dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.tar.gz   
> (with props)
> 
> dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.tar.gz.asc
> 
> dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.tar.gz.sha512
> dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.zip   
> (with props)
> dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.zip.asc
> 
> dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.zip.sha512
> dev/tomcat/tomcat-8/v8.5.78/bin/extras/
> dev/tomcat/tomcat-8/v8.5.78/bin/extras/catalina-ws.jar   (with props)
> dev/tomcat/tomcat-8/v8.5.78/bin/extras/catalina-ws.jar.asc
> dev/tomcat/tomcat-8/v8.5.78/bin/extras/catalina-ws.jar.sha512
> dev/tomcat/tomcat-8/v8.5.78/src/
> dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz   (with 
> props)
> dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz.asc
> dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz.sha512
> dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip   (with 
> props)
> dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip.asc
> dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip.sha512
>
> Added: dev/tomcat/tomcat-8/v8.5.78/KEYS

(... diffs skipped)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.78

2022-03-31 Thread Felix Schumacher 


Am 31.03.22 um 18:54 schrieb Mark Thomas:

The proposed Apache Tomcat 8.5.78 release is now available for voting.

The notable changes compared to 8.5.77 are:

- Update the packaged version of the Tomcat Native Library to 1.2.32 to
   pick up Windows binaries built with OpenSSL 1.1.1n.

- Improve logging of unknown HTTP/2 settings frames. Pull request by
   Thomas Hoffmann.

- Add additional warnings if incompatible TLS configurations are used
   such as HTTP/2 with CLIENT-CERT authentication

- Harden the class loader to provide a mitigation for CVE-2022-22965
   a Spring Framework vulnerability

Along with lots of other bug fixes and improvements.

This is the third release of Tomcat 8.5 that has been built with Java 
11 (in Java 7 mode) instead of Java 7. Please report any strangeness 
you may observe especially if you are running Tomcat 8.5 in an 
environment using Java < 11. We don't expect any issues, but 
understand that we cannot test all possible environmental configurations.


For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1370
The tag is:
https://github.com/apache/tomcat/tree/8.5.78
f732d3aa5ca55eb07cb73d9ec2b585330f80f00b

The proposed 8.5.78 release is:
[ ] Broken - do not release
[x] Stable - go ahead and release as 8.5.78 (stable)


Unit tests run with Java 11 and Java 8 on Linux

Felix



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



OpenPGP_0xEA6C3728EA91C4AF.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: Potential mention on the website

2022-03-31 Thread Christopher Schultz 

Mark,

On 3/29/22 19:40, Mark Thomas wrote:
I worry that putting much more than a simple link on the which version 
page could cause confusion. Something like:


"For users wanting a Java EE / Jakarta EE container that supports 
additional specifications like XXX see Apache TomEE."


+1

My preference is for a new menu item - probably under misc - called 
"Related Apache Projects" (a shorter, snappier title preferred) where we 
can link to the various ASF projects related to Tomcat and have a 
paragraph or two on each project.


I like this. What else might qualify? If it's really only TomEE (and 
flavors thereof), we could name that section "Enterprise .. something".


Off the top of my head, there is Ant (initially created to build 
Tomcat), Commons Pool, DBCP, Modeler, Daemon (all spun off from Tomcat), 
httpd, TomEE and probably a bunch I have forgotten about.


Digester, another Tomcat graduate.

Other than TomEE (and httpd), those are all dependencies / upstream from 
Tomcat, which IMO puts TomEE in a slightly different bucket. I would say 
that httpd isn't really "related" to Tomcat other than (a) they are both 
ASF projects and (b) they are both web servers. But there's also ATS, 
ATC and probably one or two other web servers under ASF umbrella I 
haven't heard of yet.


Thanks,
-chris


On 30/03/2022 00:25, David Blevins wrote:
On Mar 28, 2022, at 10:12 AM, Christopher Schultz 
 wrote:


David,

On 3/26/22 14:13, David Blevins wrote:

I've never had the bravery to ask


Why the heck not?


Perhaps it's a Geronimo hangover, but I never wanted to risk creating 
a situation where people felt forced or inadvertently create conflict.





but would there be some willingness to consider adding a mention of
TomEE on the Tomcat website?


I'm up for it. I can't imagine anyone on the Tomcat PMC would have any
problem with this. Anyone?


Any sign of pushback and I'll happily drop -- it's far more important
to maintain good will, respect boundaries and keep things friendly.
If there was some warmness to the idea, perhaps something very subtle
at the bottom of the Tomcat description on the front page, "For
distributions of Tomcat that contain Jakarta REST, Jakarta CDI,
Jakarta Enterprise Beans (EJB) and similar specifications see Apache
TomEE."
I guess the question would be "where is the best place to put this?" 
Does TomEE have versions that track Tomcat versions in any way? Or do 
you just use whatever version is "best at the time of packaging" or 
whatever?


For example, relegating TomEE to the "download" page(s) would mean 
that someone would have to know they want to download a specific 
Tomcat version, then decide at the last second that they instead want 
TomEE. If you don't release new versions every month (ish, like we 
do), then we could easily get out of sync.


It's a mix.  Each TomEE major version will fix itself to a Tomcat 
major version.


  - TomEE 7 (Java EE 7) uses Tomcat 8.5
  - TomEE 8 (Java EE 8) uses Tomcat 9
  - TomEE 9 (Jakarta EE 9.x) uses Tomcat 10

TomEE 9 is still in milestone, but should be released in a few 
months.  We've been basing our version numbers on the Java EE / 
Jakarta EE spec number.  For Tomcat 10.1, TomEE 10, Jakarta EE 10, 
they'll be pretty close and might possibly sync perfectly at 11 -- for 
a while at least.


On release speed, we definitely don't keep up with Tomcat pace -- 
we're more once a quarter than once a month.  As well it can take us 
many months longer to reach final as there's a lot more in the box to 
certify.


I'm thinking that maybe what we should do it put TomEE on the "Which 
version?" page (https://tomcat.apache.org/whichversion.html). Below 
the grid of spec versions and associated Tomcat versions, we could 
put a heading which says something along the lines of "Jakarta Foo + 
Bar are packaged with TomEE" and just throw the user over to whatever 
page at TomEE makes the most sense.


My only concern would be to properly inform users what is happening. 
I'm an Eclipse user and any time I have to download a new version 
from their web site I have to re-learn the differences between 
"Eclipse IDE for Java Developers" and "Eclipse IDE for Java and DSL 
Developers" and "Eclipse IDE for Enterprise Java and Web Developers" 
and I guess whatever the hell Thelia is, now.


I wouldn't want anyone to inadvertently install TomEE if all they 
really want is Tomcat or "only" install Tomcat when they need the 
additional features and APIs that TomEE provides. Perhaps just a 
reference to here would be sufficient: 
https://tomee.apache.org/comparison.html


I'm open to what people think is the right.  The whichversion.html 
page idea could be good.


A nice thing about a heading on the whichversion.html page is that 
it's something we can link to in the tomcat.apache.org website, say 
"https://tomcat.apache.org/whichversion.html#tomee"; or something.  
When twitter polls like this happen we can paste the link and 
hopefully not see 50% of people saying

Re: [VOTE] Release Apache Tomcat 9.0.62

2022-03-31 Thread Tim Funk 
On Thu, Mar 31, 2022 at 10:56 AM Rémy Maucherat  wrote:

>
> The proposed 9.0.62 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.62 (stable)
>
>

Re: [VOTE] Release Apache Tomcat 8.5.78

2022-03-31 Thread Filip Hanik 
On Thu, Mar 31, 2022 at 9:55 AM Mark Thomas  wrote:

> The proposed Apache Tomcat 8.5.78 release is now available for voting.
>
> The notable changes compared to 8.5.77 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
> Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
> such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
> a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> This is the third release of Tomcat 8.5 that has been built with Java 11
> (in Java 7 mode) instead of Java 7. Please report any strangeness you
> may observe especially if you are running Tomcat 8.5 in an environment
> using Java < 11. We don't expect any issues, but understand that we
> cannot test all possible environmental configurations.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1370
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.78
> f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
>
> The proposed 8.5.78 release is:
> [ ] Broken - do not release
>
> [X] Stable - go ahead and release as 8.5.78 (stable)
Filip

Re: [VOTE] Release Apache Tomcat 9.0.62

2022-03-31 Thread Filip Hanik 
On Thu, Mar 31, 2022 at 7:56 AM Rémy Maucherat  wrote:

> The proposed Apache Tomcat 9.0.62 release is now available for voting.
>
> The notable changes compared to 9.0.60 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
>pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
>Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
>such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
>a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.62/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1368
> The tag is:
> https://github.com/apache/tomcat/tree/9.0.62
> 85113741042dcce9e9792bdbc3d498172bc31291
>
> The proposed 9.0.62 release is:
> [ ] Broken - do not release
>
>  [X] Stable - go ahead and release as 9.0.62 (stable)

Filip


>
>

Re: [VOTE] Release Apache Tomcat 10.0.20

2022-03-31 Thread Felix Schumacher 


Am 31.03.22 um 17:20 schrieb Mark Thomas:

The proposed Apache Tomcat 10.0.20 release is now available for
voting.

Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to 
jakarta.*


Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.18 are:

- Update the packaged version of the Tomcat Native Library to 1.2.32 to
  pick up Windows binaries built with OpenSSL 1.1.1n.

- Improve logging of unknown HTTP/2 settings frames. Pull request by
  Thomas Hoffmann.

- Add additional warnings if incompatible TLS configurations are used
  such as HTTP/2 with CLIENT-CERT authentication

- Harden the class loader to provide a mitigation for CVE-2022-22965
  a Spring Framework vulnerability

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.20/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1369

The tag is:
https://github.com/apache/tomcat/tree/10.0.20
2a46c651529a9d237b4d6beb1ef846922d949342

The proposed 10.0.20 release is:
[ ] Broken - do not release
[x] Stable - go ahead and release as 10.0.20 (stable)


Unit test run under Linux with Java 11

Felix




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



OpenPGP_0xEA6C3728EA91C4AF.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] Release Apache Tomcat 9.0.62

2022-03-31 Thread Coty Sutherland 
On Thu, Mar 31, 2022 at 10:57 AM Rémy Maucherat  wrote:

> The proposed Apache Tomcat 9.0.62 release is now available for voting.
>
> The notable changes compared to 9.0.60 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
>pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
>Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
>such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
>a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.62/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1368
> The tag is:
> https://github.com/apache/tomcat/tree/9.0.62
> 85113741042dcce9e9792bdbc3d498172bc31291
>
> The proposed 9.0.62 release is:
> [ ] Broken - do not release
> [x] Stable - go ahead and release as 9.0.62 (stable)
>

+1


> Rémy
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

Re: [VOTE] Release Apache Tomcat 8.5.78

2022-03-31 Thread Rémy Maucherat 
On Thu, Mar 31, 2022 at 6:55 PM Mark Thomas  wrote:
>
> The proposed Apache Tomcat 8.5.78 release is now available for voting.
>
> The notable changes compared to 8.5.77 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
> Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
> such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
> a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> This is the third release of Tomcat 8.5 that has been built with Java 11
> (in Java 7 mode) instead of Java 7. Please report any strangeness you
> may observe especially if you are running Tomcat 8.5 in an environment
> using Java < 11. We don't expect any issues, but understand that we
> cannot test all possible environmental configurations.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1370
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.78
> f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
>
> The proposed 8.5.78 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.78 (stable)

Rémy

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.78

2022-03-31 Thread Raymond Augé 
> [X] Stable - go ahead and release as 8.5.78 (stable)

On Thu, Mar 31, 2022 at 12:56 PM Mark Thomas  wrote:

> On 31/03/2022 17:54, Mark Thomas wrote:
>
> > The proposed 8.5.78 release is:
> > [ ] Broken - do not release
> > [X] Stable - go ahead and release as 8.5.78 (stable)
>
> Tests pass with Linux, Windows and MacOS
>
> Mark
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

-- 
*Raymond Augé* (@rotty3000)
Senior Software Architect *Liferay, Inc.* (@Liferay)
OSGi Fellow, Java Champion

Re: [VOTE] Release Apache Tomcat 8.5.78

2022-03-31 Thread Mark Thomas 

On 31/03/2022 17:54, Mark Thomas wrote:


The proposed 8.5.78 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 8.5.78 (stable)


Tests pass with Linux, Windows and MacOS

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[VOTE] Release Apache Tomcat 8.5.78

2022-03-31 Thread Mark Thomas 

The proposed Apache Tomcat 8.5.78 release is now available for voting.

The notable changes compared to 8.5.77 are:

- Update the packaged version of the Tomcat Native Library to 1.2.32 to
   pick up Windows binaries built with OpenSSL 1.1.1n.

- Improve logging of unknown HTTP/2 settings frames. Pull request by
   Thomas Hoffmann.

- Add additional warnings if incompatible TLS configurations are used
   such as HTTP/2 with CLIENT-CERT authentication

- Harden the class loader to provide a mitigation for CVE-2022-22965
   a Spring Framework vulnerability

Along with lots of other bug fixes and improvements.

This is the third release of Tomcat 8.5 that has been built with Java 11 
(in Java 7 mode) instead of Java 7. Please report any strangeness you 
may observe especially if you are running Tomcat 8.5 in an environment 
using Java < 11. We don't expect any issues, but understand that we 
cannot test all possible environmental configurations.


For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.78/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1370
The tag is:
https://github.com/apache/tomcat/tree/8.5.78
f732d3aa5ca55eb07cb73d9ec2b585330f80f00b

The proposed 8.5.78 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.78 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r53489 [1/2] - in /dev/tomcat/tomcat-8/v8.5.78: ./ bin/ bin/embed/ bin/extras/ src/

2022-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 16:50:19 2022
New Revision: 53489

Log:
Upload 8.5.78 for voting

Added:
dev/tomcat/tomcat-8/v8.5.78/
dev/tomcat/tomcat-8/v8.5.78/KEYS
dev/tomcat/tomcat-8/v8.5.78/README.html
dev/tomcat/tomcat-8/v8.5.78/RELEASE-NOTES
dev/tomcat/tomcat-8/v8.5.78/bin/
dev/tomcat/tomcat-8/v8.5.78/bin/README.html
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.tar.gz   
(with props)
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.tar.gz.asc
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.tar.gz.sha512
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.zip   (with 
props)
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.zip.asc
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-deployer.zip.sha512
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-fulldocs.tar.gz   
(with props)
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-fulldocs.tar.gz.asc
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-fulldocs.tar.gz.sha512
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x64.zip   
(with props)
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x64.zip.asc
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x64.zip.sha512
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x86.zip   
(with props)
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x86.zip.asc
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78-windows-x86.zip.sha512
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.exe   (with props)
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.exe.asc
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.exe.sha512
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.tar.gz   (with props)
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.tar.gz.sha512
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.zip   (with props)
dev/tomcat/tomcat-8/v8.5.78/bin/apache-tomcat-8.5.78.zip.sha512
dev/tomcat/tomcat-8/v8.5.78/bin/embed/
dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.tar.gz   
(with props)
dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.tar.gz.asc

dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.tar.gz.sha512
dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.zip   
(with props)
dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.zip.asc
dev/tomcat/tomcat-8/v8.5.78/bin/embed/apache-tomcat-8.5.78-embed.zip.sha512
dev/tomcat/tomcat-8/v8.5.78/bin/extras/
dev/tomcat/tomcat-8/v8.5.78/bin/extras/catalina-ws.jar   (with props)
dev/tomcat/tomcat-8/v8.5.78/bin/extras/catalina-ws.jar.asc
dev/tomcat/tomcat-8/v8.5.78/bin/extras/catalina-ws.jar.sha512
dev/tomcat/tomcat-8/v8.5.78/src/
dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz   (with 
props)
dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz.asc
dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz.sha512
dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip   (with props)
dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip.asc
dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip.sha512

Added: dev/tomcat/tomcat-8/v8.5.78/KEYS
==
--- dev/tomcat/tomcat-8/v8.5.78/KEYS (added)
+++ dev/tomcat/tomcat-8/v8.5.78/KEYS Thu Mar 31 16:50:19 2022
@@ -0,0 +1,785 @@
+This file contains the PGP&GPG keys of various Apache developers.
+Please don't use them for email unless you have to. Their main
+purpose is code signing.
+
+Apache users: pgp < KEYS
+Apache developers:
+(pgpk -ll  && pgpk -xa ) >> this file.
+  or
+(gpg --fingerprint --list-sigs 
+ && gpg --armor --export ) >> this file.
+
+Apache developers: please ensure that your key is also available via the
+PGP keyservers (such as pgpkeys.mit.edu).
+
+
+Type Bits/KeyIDDate   User ID
+pub  2048/F22C4FED 2001/07/02 Andy Armstrong 
+
+-BEGIN PGP PUBLIC KEY BLOCK-
+Version: PGPfreeware 7.0.3 for non-commercial use 
+
+mQGiBDtAWuURBADZ0KUEyUkSUiTA09e7tvEbX25STsjxrR+DNTainCls+XlkVOij
+gBv216lqge9tIsS0L6hCP4OQbFf/64qVtJssX4QXdyiZGb5wpmcj0Mz602Ew8r+N
+I0S5NvmogoYWW7BlP4r61jNxO5zrr03KaijM5r4ipJdLUxyOmM6P2jRPUwCg/5gm
+bpqiYl7pXX5FgDeB36tmD+UD/06iLqOnoiKO0vMbOk7URclhCObMNrHqxTxozMTS
+B9soYURbIeArei+plYo2n+1qB12ayybjhVu3uksXRdT9bEkyxMfslvLbIpDAG8Cz
+gNftTbKx/MVS7cQU0II8BKo2Akr+1FZah+sD4ovK8SfkMXUQUbTeefTntsAQKyyU
+9M9tA/9on9tBiHFl0qVJht6N4GiJ2G689v7rS2giLgKjetjiCduxBXEgvUSuyQID
+nF9ATrpXjITwsRlGKFmpZiFm5oCeCXihIVH0u6q066xNW2AXkLVoJ1l1Rs2Z0lsb
+0cq3xEAcwAmYLKQvCtgDV8CYgWKVmPi+49rSuQn7Lo9l02OUbLQgQW5keSBBcm1z
+dHJvbmcgPGFuZHlAdGFnaXNoLmNvbT6JAFgEEBECABgFAjtAWuUICwMJCAcCAQoC
+GQEFGwMACgkQajrT9PIsT+1plgCfXAovWnVL3MjrTfcGlFSKw7GHCS

svn commit: r53489 [2/2] - in /dev/tomcat/tomcat-8/v8.5.78: ./ bin/ bin/embed/ bin/extras/ src/

2022-03-31 Thread markt 
Added: dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz.asc
==
--- dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz.asc (added)
+++ dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz.asc Thu Mar 
31 16:50:19 2022
@@ -0,0 +1,17 @@
+-BEGIN PGP SIGNATURE-
+Comment: GPGTools - http://gpgtools.org
+
+iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmJF0nMACgkQEMAcWi9g
+WeeDzA/5AVHUBbC3f/YWzU6wMxkncS9OQjesDghBZSEByZIXvVJFFhVEgzAPxjvH
+J+M1nac2paQ76iC4uETD9vuvV3HhN7hi1l+aQucgrZXXdBNagQnFtGxpfYm0nEhv
+4ISCdI3MLs3Wmo6PQeRMgs5/TYadsKf1x6rp6WzTOvnAWD/DpFRAUR5zh/8xKhKm
+M61/BO8MjvZiLkEbii8jkEK3JS9jnuXvUhQexPbxqGyfZKqhSoMkDV1wz/MvVPtA
+21EkKLe8Njo2akdzkmEmAqMHKQc07O7z3ay5XBTznHK59IjJybFtRWu8ukV7VxN7
+LHxgbixB4spw7fPg4sytfnJRookO7LzQZEM9KKZ0YYn62knU0kKmJjO2t9Usv+7x
+tbnUzVVzAmfsfRRlX89ZmS7nnrl/fs5pR/0rvRwcfvKtDAO2wbH17EcIK9O+EHzb
+bZhFQ+P1eyTyvfAxpPwh0fhMzjdodSC+dPNJOOfOLAUn1g7Iddw4PSv2U1jLtr9g
+4l7+FdzMVc31LKOJQZGbzqdEgUJMakpSAmlr13kDTQE3lZM0kvKM3reMxQA9Nopn
+VP5zMx5VkoqiBByBOnVvdxSUvgXx/aFba1HhK6M/m5aozdKsOuJokAzP4dckURUR
+LJtDg2rwWLAS4IQasy1hgFrCmCIi2hnNkEs8mFebRDzJl/er+Gc=
+=H4Wm
+-END PGP SIGNATURE-

Added: dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz.sha512
==
--- dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz.sha512 
(added)
+++ dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.tar.gz.sha512 Thu 
Mar 31 16:50:19 2022
@@ -0,0 +1 @@
+b58fdaa57420fcf7759420fba26bfd6edaa5174f5d3a81fdf8783f19d5385e2502d2ad4bfa0e4a77c6a084bf6d97a6d3cd274ab0ab3f2311d23079e273c41b32
 *apache-tomcat-8.5.78-src.tar.gz
\ No newline at end of file

Added: dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip
==
Binary file - no diff available.

Propchange: dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip
--
svn:mime-type = application/octet-stream

Added: dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip.asc
==
--- dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip.asc (added)
+++ dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip.asc Thu Mar 31 
16:50:19 2022
@@ -0,0 +1,17 @@
+-BEGIN PGP SIGNATURE-
+Comment: GPGTools - http://gpgtools.org
+
+iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmJF0lYACgkQEMAcWi9g
+Wec47Q//c/FETOYh6P6A6Os6EEUKuw6BSZzxo29fxckCYszw3Z7sJ652FfStZToh
+jONrYPokOYkh3GFRRIuHOwS9abror+QKugi9MTvW0axLqlbxoaTyoTxq12++YPpS
+aAPKodePnHQHYw2jz2NYS6ZzUbDDRy7bvUp6RkXsREjCDvTHx7zXPKakAG+9KSqm
+2P4GQx1Dc4cw3jiT6OLxKvkBgf4NI+CAdnYnm9ZR/zdE4Ay0vWpXSTj4MZabj26j
+sGkdwkf4fqMa+CF1weKhCjhOLqZHxh9KdiCizlOwHolKPjFWPyttEgy5klSsGdsT
+etD65MJVLzTc1TdSj7Z4CxHUbtXxj9Kg33MgI3n3VTcmC70mBuM47Cqb7E9NSvBc
+/UjrIsmKggAfF4Mz3wnM+oIekJu4EcX/DWDinVb0gCxErs3Tv7KbNCiRlnsa+C5B
+LHE/fdeM5voxjJ3E71rIsi9ppRXFVcBWXE0sLPdGw0ZG8aNejW/QNxc1wu8pKJkM
+tLMlqldJi/BjpjgsYItI72N6dyaTm3lDlmzAOm/NLTZIjjNq5I/6qI58wba+ehzo
+Vml8ap2O5Q5Osokc66iPIw3W7CwUGzspqNCy0KWwHQoYhyj1tQEJPUqSj99mX6Cp
+ZgelOBVQqFKxL4bN0RLig/EPBWfO++Exf7aIgEwkp3bRHewktO0=
+=B7HB
+-END PGP SIGNATURE-

Added: dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip.sha512
==
--- dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip.sha512 (added)
+++ dev/tomcat/tomcat-8/v8.5.78/src/apache-tomcat-8.5.78-src.zip.sha512 Thu Mar 
31 16:50:19 2022
@@ -0,0 +1 @@
+4dc08c843fd5f353ff485b210b95d434569c90ec2f30b5ab8ceae1fd38929c7b379ec4e7ac52cf6d9391178fd1ab8313de62ac04011bb9956459a5902863eb55
 *apache-tomcat-8.5.78-src.zip
\ No newline at end of file



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.62

2022-03-31 Thread Mark Thomas 

On 31/03/2022 15:56, Rémy Maucherat wrote:


The proposed 9.0.62 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 9.0.62 (stable)


Unit tests pass on Linux, Windows and MacOS

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.62

2022-03-31 Thread Felix Schumacher 


Am 31.03.22 um 16:56 schrieb Rémy Maucherat:

The proposed Apache Tomcat 9.0.62 release is now available for voting.

The notable changes compared to 9.0.60 are:

- Update the packaged version of the Tomcat Native Library to 1.2.32 to
pick up Windows binaries built with OpenSSL 1.1.1n.

- Improve logging of unknown HTTP/2 settings frames. Pull request by
Thomas Hoffmann.

- Add additional warnings if incompatible TLS configurations are used
such as HTTP/2 with CLIENT-CERT authentication

- Harden the class loader to provide a mitigation for CVE-2022-22965
a Spring Framework vulnerability

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.62/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1368
The tag is:
https://github.com/apache/tomcat/tree/9.0.62
85113741042dcce9e9792bdbc3d498172bc31291

The proposed 9.0.62 release is:
[ ] Broken - do not release
[x] Stable - go ahead and release as 9.0.62 (stable)


Unit tests run with Java 11 and Java 8 on Linux

Felix



Rémy

-
To unsubscribe, e-mail:dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail:dev-h...@tomcat.apache.org



OpenPGP_0xEA6C3728EA91C4AF.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

[tomcat] 01/01: Tag 8.5.78

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to tag 8.5.78
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit f732d3aa5ca55eb07cb73d9ec2b585330f80f00b
Author: Mark Thomas 
AuthorDate: Thu Mar 31 17:03:51 2022 +0100

Tag 8.5.78
---
 build.properties.default   | 2 +-
 webapps/docs/changelog.xml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index c20b316..0d6322e 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -33,7 +33,7 @@ version.major=8
 version.minor=5
 version.build=78
 version.patch=0
-version.suffix=-dev
+version.suffix=
 
 # - Reproducible builds -
 # Uncomment and set to current time for reproducible builds
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c9c2ab1..11bc27a 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,7 +104,7 @@
   They eventually become mixed with the numbered issues (i.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
   
 
   

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] tag 8.5.78 created (now f732d3a)

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to tag 8.5.78
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


  at f732d3a  (commit)
This tag includes the following new commits:

 new f732d3a  Tag 8.5.78

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.62

2022-03-31 Thread Raymond Augé 
> [X] Stable - go ahead and release as 9.0.62 (stable)

Ray

On Thu, Mar 31, 2022 at 11:23 AM Rémy Maucherat  wrote:

> On Thu, Mar 31, 2022 at 4:56 PM Rémy Maucherat  wrote:
> >
> > The proposed Apache Tomcat 9.0.62 release is now available for voting.
> >
> > The notable changes compared to 9.0.60 are:
> >
> > - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> >pick up Windows binaries built with OpenSSL 1.1.1n.
> >
> > - Improve logging of unknown HTTP/2 settings frames. Pull request by
> >Thomas Hoffmann.
> >
> > - Add additional warnings if incompatible TLS configurations are used
> >such as HTTP/2 with CLIENT-CERT authentication
> >
> > - Harden the class loader to provide a mitigation for CVE-2022-22965
> >a Spring Framework vulnerability
> >
> > Along with lots of other bug fixes and improvements.
> >
> > For full details, see the changelog:
> > https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html
> >
> > It can be obtained from:
> > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.62/
> > The Maven staging repo is:
> > https://repository.apache.org/content/repositories/orgapachetomcat-1368
> > The tag is:
> > https://github.com/apache/tomcat/tree/9.0.62
> > 85113741042dcce9e9792bdbc3d498172bc31291
> >
> > The proposed 9.0.62 release is:
> > [ ] Broken - do not release
> > [X] Stable - go ahead and release as 9.0.62 (stable)
>
> Rémy
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

-- 
*Raymond Augé* (@rotty3000)
Senior Software Architect *Liferay, Inc.* (@Liferay)
OSGi Fellow, Java Champion

Re: [VOTE] Release Apache Tomcat 10.1.0-M14

2022-03-31 Thread Raymond Augé 
> [X] Alpha - go ahead and release as 10.1.0-M14 (alpha)

Ray

On Thu, Mar 31, 2022 at 11:13 AM 
wrote:

> Thank you Mark. I know it's not a Tomcat vulnerability, but if the
> Hardening mitigates the other, then that had me wondering was all.
>
> Thanks for the position clarification.
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein. If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message. Thank you for your cooperation.
>
>
> > -Original Message-
> > From: Mark Thomas 
> > Sent: Thursday, March 31, 2022 10:08 AM
> > To: dev@tomcat.apache.org
> > Subject: Re: [VOTE] Release Apache Tomcat 10.1.0-M14
> >
> > On 31/03/2022 15:56, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > Noting the Hardening of the class loader, is this going to require
> this to be a
> > security release of the newest Tomcat releases (forthcoming), or will
> they
> > still just be standard releases?
> >
> > That change does not address a security vulnerability in Apache Tomcat.
> >
> > There will be no CVE for this change.
> >
> > We generally use hardening to refer to things that do not address a
> > vulnerability but improve the overall security posture. Typically, these
> > changes provide additional defense in depth.
> >
> > In this instance, it mitigates CVE-2022-22965 which is a Spring Framework
> > vulnerability. The main purpose of the release is to provide end users
> with an
> > alternative option if updating Tomcat is simpler than updating the
> version of
> > Spring they are using.
> >
> > To provide some context, similar recent hardening changes include:
> >
> > - Using a constant time algorithm to compare passwords. Analysis showed
> >that a timing attack wasn't feasible but we switched now in case it
> >became feasible as some point in the future
> >
> > - We changed the BeanFactory in 10.1.x (and might back-port the change)
> >to prevent it from being used if an application has a JNDI injection
> >vulnerability
> >
> > Finally, we will either keep completely silent about security
> vulnerabilities
> > until they are published or we will be completely open about them up
> front
> > (e.g. if there is a zero day).
> >
> > HTH,
> >
> > Mark
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional
> > commands, e-mail: dev-h...@tomcat.apache.org
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

-- 
*Raymond Augé* (@rotty3000)
Senior Software Architect *Liferay, Inc.* (@Liferay)
OSGi Fellow, Java Champion

Re: [VOTE] Release Apache Tomcat 10.0.20

2022-03-31 Thread Raymond Augé 
> [X] Stable - go ahead and release as 10.0.20 (stable)

Ray

On Thu, Mar 31, 2022 at 11:23 AM Rémy Maucherat  wrote:

> On Thu, Mar 31, 2022 at 5:20 PM Mark Thomas  wrote:
> >
> > The proposed Apache Tomcat 10.0.20 release is now available for
> > voting.
> >
> > Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
> > package for all the specification APIs has changed from javax.* to
> jakarta.*
> >
> > Applications that run on Tomcat 9 will not run on Tomcat 10 without
> > changes. Java EE applications designed for Tomcat 9 and earlier may be
> > placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will
> > automatically convert them to Jakarta EE and copy them to the webapps
> > directory
> >
> > The notable changes compared to 10.0.18 are:
> >
> > - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> >pick up Windows binaries built with OpenSSL 1.1.1n.
> >
> > - Improve logging of unknown HTTP/2 settings frames. Pull request by
> >Thomas Hoffmann.
> >
> > - Add additional warnings if incompatible TLS configurations are used
> >such as HTTP/2 with CLIENT-CERT authentication
> >
> > - Harden the class loader to provide a mitigation for CVE-2022-22965
> >a Spring Framework vulnerability
> >
> > Along with lots of other bug fixes and improvements.
> >
> > For full details, see the changelog:
> > https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html
> >
> > It can be obtained from:
> > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.20/
> >
> > The Maven staging repo is:
> > https://repository.apache.org/content/repositories/orgapachetomcat-1369
> >
> > The tag is:
> > https://github.com/apache/tomcat/tree/10.0.20
> > 2a46c651529a9d237b4d6beb1ef846922d949342
> >
> > The proposed 10.0.20 release is:
> > [ ] Broken - do not release
> > [X] Stable - go ahead and release as 10.0.20 (stable)
>
> Rémy
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

-- 
*Raymond Augé* (@rotty3000)
Senior Software Architect *Liferay, Inc.* (@Liferay)
OSGi Fellow, Java Champion

Re: [VOTE] Release Apache Tomcat 9.0.62

2022-03-31 Thread Rémy Maucherat 
On Thu, Mar 31, 2022 at 4:56 PM Rémy Maucherat  wrote:
>
> The proposed Apache Tomcat 9.0.62 release is now available for voting.
>
> The notable changes compared to 9.0.60 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
>pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
>Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
>such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
>a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.62/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1368
> The tag is:
> https://github.com/apache/tomcat/tree/9.0.62
> 85113741042dcce9e9792bdbc3d498172bc31291
>
> The proposed 9.0.62 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.62 (stable)

Rémy

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 10.0.20

2022-03-31 Thread Rémy Maucherat 
On Thu, Mar 31, 2022 at 5:20 PM Mark Thomas  wrote:
>
> The proposed Apache Tomcat 10.0.20 release is now available for
> voting.
>
> Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
> package for all the specification APIs has changed from javax.* to jakarta.*
>
> Applications that run on Tomcat 9 will not run on Tomcat 10 without
> changes. Java EE applications designed for Tomcat 9 and earlier may be
> placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will
> automatically convert them to Jakarta EE and copy them to the webapps
> directory
>
> The notable changes compared to 10.0.18 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
>pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
>Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
>such as HTTP/2 with CLIENT-CERT authentication
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
>a Spring Framework vulnerability
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.20/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1369
>
> The tag is:
> https://github.com/apache/tomcat/tree/10.0.20
> 2a46c651529a9d237b4d6beb1ef846922d949342
>
> The proposed 10.0.20 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 10.0.20 (stable)

Rémy

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 10.0.20

2022-03-31 Thread Mark Thomas 

On 31/03/2022 16:20, Mark Thomas wrote:


The proposed 10.0.20 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 10.0.20 (stable)


Unit tests pass on Linux, Windows and MacOS

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[VOTE] Release Apache Tomcat 10.0.20

2022-03-31 Thread Mark Thomas 

The proposed Apache Tomcat 10.0.20 release is now available for
voting.

Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
package for all the specification APIs has changed from javax.* to jakarta.*

Applications that run on Tomcat 9 will not run on Tomcat 10 without 
changes. Java EE applications designed for Tomcat 9 and earlier may be 
placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will 
automatically convert them to Jakarta EE and copy them to the webapps 
directory


The notable changes compared to 10.0.18 are:

- Update the packaged version of the Tomcat Native Library to 1.2.32 to
  pick up Windows binaries built with OpenSSL 1.1.1n.

- Improve logging of unknown HTTP/2 settings frames. Pull request by
  Thomas Hoffmann.

- Add additional warnings if incompatible TLS configurations are used
  such as HTTP/2 with CLIENT-CERT authentication

- Harden the class loader to provide a mitigation for CVE-2022-22965
  a Spring Framework vulnerability

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.20/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1369

The tag is:
https://github.com/apache/tomcat/tree/10.0.20
2a46c651529a9d237b4d6beb1ef846922d949342

The proposed 10.0.20 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.0.20 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.61

2022-03-31 Thread Rémy Maucherat 
On Thu, Mar 31, 2022 at 4:58 PM  wrote:
>
> Rémy,
>
> Will the Spring Framework Zero Day result in moving to release 9.0.62, 
> surpassing 9.0.61 currently in vote?

Same as for 10.1, the most likely is that the 9.0.61 is cancelled.

Rémy

> Thanks,
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
> He/His
>
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you 
> are not the addressee or authorized to receive this for the addressee, you 
> must not use, copy, disclose, or take any action based on this message or any 
> information herein. If you have received this message in error, please advise 
> the sender immediately by reply e-mail and delete this message. Thank you for 
> your cooperation.
>
>
> > -Original Message-
> > From: Rémy Maucherat 
> > Sent: Wednesday, March 30, 2022 3:22 AM
> > To: Tomcat Developers List 
> > Subject: [VOTE] Release Apache Tomcat 9.0.61
> >
> > The proposed Apache Tomcat 9.0.61 release is now available for voting.
> >
> > The notable changes compared to 9.0.60 are:
> >
> > - Fix a potential thread-safety issue that could cause HTTP/1.1 request
> >processing to pause, and potentially timeout, waiting for additional
> >data when the full request has been received.
> >
> > - Fix a regression introduced with 65757 bugfix which better identified
> >non request threads but which introduced a similar problem when user
> >code was doing sequential operations in a single thread.
> >
> > - When resolving methods in EL expressions that use beans and/or static
> >fields, ensure that any custom type conversion is considered when
> >identifying the method to call.
> >
> > Along with lots of other bug fixes and improvements.
> >
> > For full details, see the changelog:
> > https://urldefense.com/v3/__https://nightlies.apache.org/tomcat/tomcat-
> > 9.0.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!7XK-DbVirPj3r-
> > F7wfi6sKyGhYbedykficURS6hxf41RBWPgm_J3aM8LgZ-NVP4f6n0DAak$
> >
> > It can be obtained from:
> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/tomc
> > at/tomcat-9/v9.0.61/__;!!F9svGWnIaVPGSwU!7XK-DbVirPj3r-
> > F7wfi6sKyGhYbedykficURS6hxf41RBWPgm_J3aM8LgZ-NVP4fLrXOhN4$
> > The Maven staging repo is:
> > https://urldefense.com/v3/__https://repository.apache.org/content/reposi
> > tories/orgapachetomcat-1366__;!!F9svGWnIaVPGSwU!7XK-DbVirPj3r-
> > F7wfi6sKyGhYbedykficURS6hxf41RBWPgm_J3aM8LgZ-NVP4fYUTTyiA$
> > The tag is:
> > https://urldefense.com/v3/__https://github.com/apache/tomcat/tree/9.0.6
> > 1__;!!F9svGWnIaVPGSwU!7XK-DbVirPj3r-
> > F7wfi6sKyGhYbedykficURS6hxf41RBWPgm_J3aM8LgZ-NVP4fVDyFgoI$
> > 6c6432ac1416ed369f892b9ce76e10c7eb10b91c
> >
> > The proposed 9.0.61 release is:
> > [ ] Broken - do not release
> > [ ] Stable - go ahead and release as 9.0.61 (stable)
> >
> > Rémy
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional
> > commands, e-mail: dev-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [VOTE] Release Apache Tomcat 10.1.0-M14

2022-03-31 Thread jonmcalexander 
Thank you Mark. I know it's not a Tomcat vulnerability, but if the Hardening 
mitigates the other, then that had me wondering was all.

Thanks for the position clarification.

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Thursday, March 31, 2022 10:08 AM
> To: dev@tomcat.apache.org
> Subject: Re: [VOTE] Release Apache Tomcat 10.1.0-M14
> 
> On 31/03/2022 15:56, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Noting the Hardening of the class loader, is this going to require this to 
> > be a
> security release of the newest Tomcat releases (forthcoming), or will they
> still just be standard releases?
> 
> That change does not address a security vulnerability in Apache Tomcat.
> 
> There will be no CVE for this change.
> 
> We generally use hardening to refer to things that do not address a
> vulnerability but improve the overall security posture. Typically, these
> changes provide additional defense in depth.
> 
> In this instance, it mitigates CVE-2022-22965 which is a Spring Framework
> vulnerability. The main purpose of the release is to provide end users with an
> alternative option if updating Tomcat is simpler than updating the version of
> Spring they are using.
> 
> To provide some context, similar recent hardening changes include:
> 
> - Using a constant time algorithm to compare passwords. Analysis showed
>that a timing attack wasn't feasible but we switched now in case it
>became feasible as some point in the future
> 
> - We changed the BeanFactory in 10.1.x (and might back-port the change)
>to prevent it from being used if an application has a JNDI injection
>vulnerability
> 
> Finally, we will either keep completely silent about security vulnerabilities
> until they are published or we will be completely open about them up front
> (e.g. if there is a zero day).
> 
> HTH,
> 
> Mark
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional
> commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 10.1.0-M14

2022-03-31 Thread Mark Thomas 

On 31/03/2022 16:05, jonmcalexan...@wellsfargo.com.INVALID wrote:

Sorry, just read the thread in tomcat.developers. I don't know about doing in 
parallel. IT may be best to just supersede to 10.0.20 and 9.0.62 instead of 
rolling .19 and .61. Less confusion.


No problem. I think there is general agreement on the confusion point. 
For now, we are leaving the earlier release votes open just to give us 
options if (as unlikely that it is) something goes wrong with the later 
releases.


My current expectation is that, assuming the new votes pass, the older 
votes will be cancelled when the new votes have passed.


Mark



Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



-Original Message-
From: jonmcalexan...@wellsfargo.com.INVALID

Sent: Thursday, March 31, 2022 9:56 AM
To: dev@tomcat.apache.org
Subject: RE: [VOTE] Release Apache Tomcat 10.1.0-M14

Noting the Hardening of the class loader, is this going to require this to be a
security release of the newest Tomcat releases (forthcoming), or will they
still just be standard releases?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.



-Original Message-
From: Mark Thomas 
Sent: Thursday, March 31, 2022 8:58 AM
To: Tomcat Developers List 
Subject: [VOTE] Release Apache Tomcat 10.1.0-M14

The proposed Apache Tomcat 10.1.0-M14 release is now available for

voting.


Applications that run on Tomcat 9 and earlier will not run on Tomcat
10 without changes. Java EE applications designed for Tomcat 9 and
earlier may be placed in the $CATALINA_BASE/webapps-javaee directory
and Tomcat will automatically convert them to Jakarta EE and copy them
to the webapps directory.

The notable changes compared to 10.1.0-M12 are:

- Update the packaged version of the Tomcat Native Library to 1.2.32 to
pick up Windows binaries built with OpenSSL 1.1.1n.

- Improve logging of unknown HTTP/2 settings frames. Pull request by
Thomas Hoffmann.

- Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was
renamed for Jakarta EE 10)

- Harden the class loader to provide a mitigation for CVE-2022-22965
a Spring Framework vulnerability

For full details, see the change log:
https://urldefense.com/v3/__https://nightlies.apache.org/tomcat/tomcat
-

10.1.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXA

HCr-s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG49qpLRI$

It can be obtained from:
https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/tom
c
at/tomcat-10/v10.1.0-
M14/__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr-
s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG6BHBJ-s$

The Maven staging repo is:
https://urldefense.com/v3/__https://repository.apache.org/content/repo
si
tories/orgapachetomcat-
1367__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr-
s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG7SAVFwo$

The tag is:


https://urldefense.com/v3/__https://github.com/apache/tomcat/tree/10.1.

0-M14__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr-
s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhGfLmoUPs$
02e84c839def0228475fad85d0b19abc2f70b03f


The proposed 10.1.0-M14 release is:
[ ] Broken - do not release
[ ] Alpha - go ahead and release as 10.1.0-M14 (alpha)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For
additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional
commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-m

Re: [VOTE] Release Apache Tomcat 10.1.0-M14

2022-03-31 Thread Mark Thomas 

On 31/03/2022 15:56, jonmcalexan...@wellsfargo.com.INVALID wrote:

Noting the Hardening of the class loader, is this going to require this to be a 
security release of the newest Tomcat releases (forthcoming), or will they 
still just be standard releases?


That change does not address a security vulnerability in Apache Tomcat.

There will be no CVE for this change.

We generally use hardening to refer to things that do not address a 
vulnerability but improve the overall security posture. Typically, these 
changes provide additional defense in depth.


In this instance, it mitigates CVE-2022-22965 which is a Spring 
Framework vulnerability. The main purpose of the release is to provide 
end users with an alternative option if updating Tomcat is simpler than 
updating the version of Spring they are using.


To provide some context, similar recent hardening changes include:

- Using a constant time algorithm to compare passwords. Analysis showed
  that a timing attack wasn't feasible but we switched now in case it
  became feasible as some point in the future

- We changed the BeanFactory in 10.1.x (and might back-port the change)
  to prevent it from being used if an application has a JNDI injection
  vulnerability

Finally, we will either keep completely silent about security 
vulnerabilities until they are published or we will be completely open 
about them up front (e.g. if there is a zero day).


HTH,

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [VOTE] Release Apache Tomcat 10.1.0-M14

2022-03-31 Thread jonmcalexander 
Sorry, just read the thread in tomcat.developers. I don't know about doing in 
parallel. IT may be best to just supersede to 10.0.20 and 9.0.62 instead of 
rolling .19 and .61. Less confusion.

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: jonmcalexan...@wellsfargo.com.INVALID
> 
> Sent: Thursday, March 31, 2022 9:56 AM
> To: dev@tomcat.apache.org
> Subject: RE: [VOTE] Release Apache Tomcat 10.1.0-M14
> 
> Noting the Hardening of the class loader, is this going to require this to be 
> a
> security release of the newest Tomcat releases (forthcoming), or will they
> still just be standard releases?
> 
> Thanks,
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Infrastructure Engineer
> Asst Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> 
> > -Original Message-
> > From: Mark Thomas 
> > Sent: Thursday, March 31, 2022 8:58 AM
> > To: Tomcat Developers List 
> > Subject: [VOTE] Release Apache Tomcat 10.1.0-M14
> >
> > The proposed Apache Tomcat 10.1.0-M14 release is now available for
> voting.
> >
> > Applications that run on Tomcat 9 and earlier will not run on Tomcat
> > 10 without changes. Java EE applications designed for Tomcat 9 and
> > earlier may be placed in the $CATALINA_BASE/webapps-javaee directory
> > and Tomcat will automatically convert them to Jakarta EE and copy them
> > to the webapps directory.
> >
> > The notable changes compared to 10.1.0-M12 are:
> >
> > - Update the packaged version of the Tomcat Native Library to 1.2.32 to
> >pick up Windows binaries built with OpenSSL 1.1.1n.
> >
> > - Improve logging of unknown HTTP/2 settings frames. Pull request by
> >Thomas Hoffmann.
> >
> > - Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was
> >renamed for Jakarta EE 10)
> >
> > - Harden the class loader to provide a mitigation for CVE-2022-22965
> >a Spring Framework vulnerability
> >
> > For full details, see the change log:
> > https://urldefense.com/v3/__https://nightlies.apache.org/tomcat/tomcat
> > -
> 10.1.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXA
> > HCr-s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG49qpLRI$
> >
> > It can be obtained from:
> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/tom
> > c
> > at/tomcat-10/v10.1.0-
> > M14/__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr-
> > s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG6BHBJ-s$
> >
> > The Maven staging repo is:
> > https://urldefense.com/v3/__https://repository.apache.org/content/repo
> > si
> > tories/orgapachetomcat-
> > 1367__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr-
> > s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG7SAVFwo$
> >
> > The tag is:
> >
> https://urldefense.com/v3/__https://github.com/apache/tomcat/tree/10.1.
> > 0-M14__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr-
> > s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhGfLmoUPs$
> > 02e84c839def0228475fad85d0b19abc2f70b03f
> >
> >
> > The proposed 10.1.0-M14 release is:
> > [ ] Broken - do not release
> > [ ] Alpha - go ahead and release as 10.1.0-M14 (alpha)
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For
> > additional commands, e-mail: dev-h...@tomcat.apache.org
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional
> commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [VOTE] Release Apache Tomcat 9.0.61

2022-03-31 Thread jonmcalexander 
Rémy,

Will the Spring Framework Zero Day result in moving to release 9.0.62, 
surpassing 9.0.61 currently in vote?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Rémy Maucherat 
> Sent: Wednesday, March 30, 2022 3:22 AM
> To: Tomcat Developers List 
> Subject: [VOTE] Release Apache Tomcat 9.0.61
> 
> The proposed Apache Tomcat 9.0.61 release is now available for voting.
> 
> The notable changes compared to 9.0.60 are:
> 
> - Fix a potential thread-safety issue that could cause HTTP/1.1 request
>processing to pause, and potentially timeout, waiting for additional
>data when the full request has been received.
> 
> - Fix a regression introduced with 65757 bugfix which better identified
>non request threads but which introduced a similar problem when user
>code was doing sequential operations in a single thread.
> 
> - When resolving methods in EL expressions that use beans and/or static
>fields, ensure that any custom type conversion is considered when
>identifying the method to call.
> 
> Along with lots of other bug fixes and improvements.
> 
> For full details, see the changelog:
> https://urldefense.com/v3/__https://nightlies.apache.org/tomcat/tomcat-
> 9.0.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!7XK-DbVirPj3r-
> F7wfi6sKyGhYbedykficURS6hxf41RBWPgm_J3aM8LgZ-NVP4f6n0DAak$
> 
> It can be obtained from:
> https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/tomc
> at/tomcat-9/v9.0.61/__;!!F9svGWnIaVPGSwU!7XK-DbVirPj3r-
> F7wfi6sKyGhYbedykficURS6hxf41RBWPgm_J3aM8LgZ-NVP4fLrXOhN4$
> The Maven staging repo is:
> https://urldefense.com/v3/__https://repository.apache.org/content/reposi
> tories/orgapachetomcat-1366__;!!F9svGWnIaVPGSwU!7XK-DbVirPj3r-
> F7wfi6sKyGhYbedykficURS6hxf41RBWPgm_J3aM8LgZ-NVP4fYUTTyiA$
> The tag is:
> https://urldefense.com/v3/__https://github.com/apache/tomcat/tree/9.0.6
> 1__;!!F9svGWnIaVPGSwU!7XK-DbVirPj3r-
> F7wfi6sKyGhYbedykficURS6hxf41RBWPgm_J3aM8LgZ-NVP4fVDyFgoI$
> 6c6432ac1416ed369f892b9ce76e10c7eb10b91c
> 
> The proposed 9.0.61 release is:
> [ ] Broken - do not release
> [ ] Stable - go ahead and release as 9.0.61 (stable)
> 
> Rémy
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional
> commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 10.0.x updated: Increment version for next development cycle

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
 new 63f0daa  Increment version for next development cycle
63f0daa is described below

commit 63f0daac3b5978a16293bf2254e99b06f9c117ac
Author: Mark Thomas 
AuthorDate: Thu Mar 31 15:57:40 2022 +0100

Increment version for next development cycle
---
 build.properties.default | 2 +-
 res/maven/mvn.properties.default | 2 +-
 webapps/docs/changelog.xml   | 4 +++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index a5f9dc3..2bfb53f 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -31,7 +31,7 @@
 # - Version Control Flags -
 version.major=10
 version.minor=0
-version.build=20
+version.build=21
 version.patch=0
 version.suffix=-dev
 
diff --git a/res/maven/mvn.properties.default b/res/maven/mvn.properties.default
index d2e1e88..73cf7fb 100644
--- a/res/maven/mvn.properties.default
+++ b/res/maven/mvn.properties.default
@@ -39,7 +39,7 @@ 
maven.asf.release.repo.url=https://repository.apache.org/service/local/staging/d
 maven.asf.release.repo.repositoryId=apache.releases.https
 
 # Release version info
-maven.asf.release.deploy.version=10.0.20
+maven.asf.release.deploy.version=10.0.21
 
 #Where do we load the libraries from
 tomcat.lib.path=../../output/build/lib
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 512eec7..b16e967 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,7 +104,9 @@
   They eventually become mixed with the numbered issues (i.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
+
+
   
 
   

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch main updated: Increment version for next development cycle

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new d711718  Increment version for next development cycle
d711718 is described below

commit d71171811175518b64fccf2655e5dfa613e1c0a4
Author: Mark Thomas 
AuthorDate: Thu Mar 31 15:56:23 2022 +0100

Increment version for next development cycle
---
 build.properties.default | 2 +-
 res/maven/mvn.properties.default | 2 +-
 webapps/docs/changelog.xml   | 4 +++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index 68bcf72..ebdf768 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -33,7 +33,7 @@ version.major=10
 version.minor=1
 version.build=0
 version.patch=0
-version.suffix=-M14-dev
+version.suffix=-M15-dev
 
 # - Reproducible builds -
 # Uncomment and set to current time for reproducible builds
diff --git a/res/maven/mvn.properties.default b/res/maven/mvn.properties.default
index 199599e..48a92ce 100644
--- a/res/maven/mvn.properties.default
+++ b/res/maven/mvn.properties.default
@@ -39,7 +39,7 @@ 
maven.asf.release.repo.url=https://repository.apache.org/service/local/staging/d
 maven.asf.release.repo.repositoryId=apache.releases.https
 
 # Release version info
-maven.asf.release.deploy.version=10.1.0-M14
+maven.asf.release.deploy.version=10.1.0-M15
 
 #Where do we load the libraries from
 tomcat.lib.path=../../output/build/lib
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index cb82a40..98b619e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,7 +104,9 @@
   They eventually become mixed with the numbered issues (i.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
+
+
   
 
   

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [VOTE] Release Apache Tomcat 10.1.0-M14

2022-03-31 Thread jonmcalexander 
Noting the Hardening of the class loader, is this going to require this to be a 
security release of the newest Tomcat releases (forthcoming), or will they 
still just be standard releases?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Thursday, March 31, 2022 8:58 AM
> To: Tomcat Developers List 
> Subject: [VOTE] Release Apache Tomcat 10.1.0-M14
> 
> The proposed Apache Tomcat 10.1.0-M14 release is now available for voting.
> 
> Applications that run on Tomcat 9 and earlier will not run on Tomcat 10
> without changes. Java EE applications designed for Tomcat 9 and earlier may
> be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
> will automatically convert them to Jakarta EE and copy them to the webapps
> directory.
> 
> The notable changes compared to 10.1.0-M12 are:
> 
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
>pick up Windows binaries built with OpenSSL 1.1.1n.
> 
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
>Thomas Hoffmann.
> 
> - Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was
>renamed for Jakarta EE 10)
> 
> - Harden the class loader to provide a mitigation for CVE-2022-22965
>a Spring Framework vulnerability
> 
> For full details, see the change log:
> https://urldefense.com/v3/__https://nightlies.apache.org/tomcat/tomcat-
> 10.1.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXA
> HCr-s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG49qpLRI$
> 
> It can be obtained from:
> https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/tomc
> at/tomcat-10/v10.1.0-
> M14/__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr-
> s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG6BHBJ-s$
> 
> The Maven staging repo is:
> https://urldefense.com/v3/__https://repository.apache.org/content/reposi
> tories/orgapachetomcat-
> 1367__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr-
> s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG7SAVFwo$
> 
> The tag is:
> https://urldefense.com/v3/__https://github.com/apache/tomcat/tree/10.1.
> 0-M14__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr-
> s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhGfLmoUPs$
> 02e84c839def0228475fad85d0b19abc2f70b03f
> 
> 
> The proposed 10.1.0-M14 release is:
> [ ] Broken - do not release
> [ ] Alpha - go ahead and release as 10.1.0-M14 (alpha)
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[VOTE] Release Apache Tomcat 9.0.62

2022-03-31 Thread Rémy Maucherat 
The proposed Apache Tomcat 9.0.62 release is now available for voting.

The notable changes compared to 9.0.60 are:

- Update the packaged version of the Tomcat Native Library to 1.2.32 to
   pick up Windows binaries built with OpenSSL 1.1.1n.

- Improve logging of unknown HTTP/2 settings frames. Pull request by
   Thomas Hoffmann.

- Add additional warnings if incompatible TLS configurations are used
   such as HTTP/2 with CLIENT-CERT authentication

- Harden the class loader to provide a mitigation for CVE-2022-22965
   a Spring Framework vulnerability

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.62/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1368
The tag is:
https://github.com/apache/tomcat/tree/9.0.62
85113741042dcce9e9792bdbc3d498172bc31291

The proposed 9.0.62 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 9.0.62 (stable)

Rémy

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Update repeatable build timestamp (currently unused)

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new ea56344  Update repeatable build timestamp (currently unused)
ea56344 is described below

commit ea56344c1af63900913fd7363a78b1c21151b2ad
Author: remm 
AuthorDate: Thu Mar 31 15:37:25 2022 +0200

Update repeatable build timestamp (currently unused)
---
 build.properties.default | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index 3152f39..c20b316 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -38,8 +38,8 @@ version.suffix=-dev
 # - Reproducible builds -
 # Uncomment and set to current time for reproducible builds
 # Note: The value is in seconds (unlike milliseconds used by 
System.currentTimeMillis()).
-#2022-01-12T06:00:00Z
-#ant.tstamp.now=1642003200
+#2022-03-31T12:00:00Z
+#ant.tstamp.now=1648728000
 
 # - Source control flags -
 git.branch=8.5.x

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r53484 - in /dev/tomcat/tomcat-10/v10.0.20: ./ bin/ bin/embed/ src/

2022-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 14:50:17 2022
New Revision: 53484

Log:
Upload 10.0.20 for voting

Added:
dev/tomcat/tomcat-10/v10.0.20/
dev/tomcat/tomcat-10/v10.0.20/KEYS
dev/tomcat/tomcat-10/v10.0.20/README.html
dev/tomcat/tomcat-10/v10.0.20/RELEASE-NOTES
dev/tomcat/tomcat-10/v10.0.20/bin/
dev/tomcat/tomcat-10/v10.0.20/bin/README.html
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-deployer.tar.gz   
(with props)
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-deployer.tar.gz.asc

dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-deployer.tar.gz.sha512
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-deployer.zip   
(with props)
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-deployer.zip.asc
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-deployer.zip.sha512
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-fulldocs.tar.gz   
(with props)
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-fulldocs.tar.gz.asc

dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-fulldocs.tar.gz.sha512
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-windows-x64.zip   
(with props)
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-windows-x64.zip.asc

dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-windows-x64.zip.sha512
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-windows-x86.zip   
(with props)
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-windows-x86.zip.asc

dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20-windows-x86.zip.sha512
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20.exe   (with props)
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20.exe.asc
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20.exe.sha512
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20.tar.gz   (with 
props)
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20.tar.gz.asc
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20.tar.gz.sha512
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20.zip   (with props)
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20.zip.asc
dev/tomcat/tomcat-10/v10.0.20/bin/apache-tomcat-10.0.20.zip.sha512
dev/tomcat/tomcat-10/v10.0.20/bin/embed/
dev/tomcat/tomcat-10/v10.0.20/bin/embed/apache-tomcat-10.0.20-embed.tar.gz  
 (with props)

dev/tomcat/tomcat-10/v10.0.20/bin/embed/apache-tomcat-10.0.20-embed.tar.gz.asc

dev/tomcat/tomcat-10/v10.0.20/bin/embed/apache-tomcat-10.0.20-embed.tar.gz.sha512
dev/tomcat/tomcat-10/v10.0.20/bin/embed/apache-tomcat-10.0.20-embed.zip   
(with props)
dev/tomcat/tomcat-10/v10.0.20/bin/embed/apache-tomcat-10.0.20-embed.zip.asc

dev/tomcat/tomcat-10/v10.0.20/bin/embed/apache-tomcat-10.0.20-embed.zip.sha512
dev/tomcat/tomcat-10/v10.0.20/src/
dev/tomcat/tomcat-10/v10.0.20/src/apache-tomcat-10.0.20-src.tar.gz   (with 
props)
dev/tomcat/tomcat-10/v10.0.20/src/apache-tomcat-10.0.20-src.tar.gz.asc
dev/tomcat/tomcat-10/v10.0.20/src/apache-tomcat-10.0.20-src.tar.gz.sha512
dev/tomcat/tomcat-10/v10.0.20/src/apache-tomcat-10.0.20-src.zip   (with 
props)
dev/tomcat/tomcat-10/v10.0.20/src/apache-tomcat-10.0.20-src.zip.asc
dev/tomcat/tomcat-10/v10.0.20/src/apache-tomcat-10.0.20-src.zip.sha512

Added: dev/tomcat/tomcat-10/v10.0.20/KEYS
==
--- dev/tomcat/tomcat-10/v10.0.20/KEYS (added)
+++ dev/tomcat/tomcat-10/v10.0.20/KEYS Thu Mar 31 14:50:17 2022
@@ -0,0 +1,453 @@
+This file contains the PGP&GPG keys of various Apache developers.
+Please don't use them for email unless you have to. Their main
+purpose is code signing.
+
+Apache users: pgp < KEYS
+Apache developers:
+(pgpk -ll  && pgpk -xa ) >> this file.
+  or
+(gpg --fingerprint --list-sigs 
+ && gpg --armor --export ) >> this file.
+
+Apache developers: please ensure that your key is also available via the
+PGP keyservers (such as pgpkeys.mit.edu).
+
+
+pub   4096R/2F6059E7 2009-09-18
+  Key fingerprint = A9C5 DF4D 22E9 9998 D987  5A51 10C0 1C5A 2F60 59E7
+uid  Mark E D Thomas 
+sub   4096R/5E763BEC 2009-09-18
+
+-BEGIN PGP PUBLIC KEY BLOCK-
+Comment: GPGTools - http://gpgtools.org
+
+mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmX
+pqtOJKKwW2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t
+6RZBq2dJsYKF0CEh6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6K
+GH59oysn1NE7a2a+kZzjBSEgv23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz
+4yvDOZItqDURP24zWOodxgboldV6Y88C3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7M
+UVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJtgXmcUwq31T1+SlXdYjNJ1aF
+kUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4jyHb8k8vxi6qT6Udn
+lcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77egI4P/82oPbzzFi
+GFqXyJKULVgxtdQ3JikCpodp3f1fh6PlYZwkW4xCJLJucJ5MiQp07HAkMVW5w+k8
+Xvuk4i5quh3N+2kzKHOOiQCDmN0sz0XjOE+

[tomcat] branch 9.0.x updated: Next is 9.0.63

2022-03-31 Thread remm 
This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new 4683c7e  Next is 9.0.63
4683c7e is described below

commit 4683c7e9d930cbe5173a2d8730af9ded8ee517e5
Author: remm 
AuthorDate: Thu Mar 31 16:41:37 2022 +0200

Next is 9.0.63
---
 build.properties.default | 2 +-
 res/maven/mvn.properties.default | 2 +-
 webapps/docs/changelog.xml   | 4 +++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index d656418..351aa58 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -31,7 +31,7 @@
 # - Version Control Flags -
 version.major=9
 version.minor=0
-version.build=62
+version.build=63
 version.patch=0
 version.suffix=-dev
 
diff --git a/res/maven/mvn.properties.default b/res/maven/mvn.properties.default
index dd320d2..9573784 100644
--- a/res/maven/mvn.properties.default
+++ b/res/maven/mvn.properties.default
@@ -39,7 +39,7 @@ 
maven.asf.release.repo.url=https://repository.apache.org/service/local/staging/d
 maven.asf.release.repo.repositoryId=apache.releases.https
 
 # Release version info
-maven.asf.release.deploy.version=9.0.62
+maven.asf.release.deploy.version=9.0.63
 
 #Where do we load the libraries from
 tomcat.lib.path=../../output/build/lib
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f6b43e9..3e8791b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,7 +104,9 @@
   They eventually become mixed with the numbered issues (i.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
+
+
   
 
   

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r53483 - in /dev/tomcat/tomcat-9/v9.0.62: ./ bin/ bin/embed/ src/

2022-03-31 Thread remm 
Author: remm
Date: Thu Mar 31 14:40:53 2022
New Revision: 53483

Log:
Upload 9.0.62 for voting

Added:
dev/tomcat/tomcat-9/v9.0.62/
dev/tomcat/tomcat-9/v9.0.62/KEYS
dev/tomcat/tomcat-9/v9.0.62/README.html
dev/tomcat/tomcat-9/v9.0.62/RELEASE-NOTES
dev/tomcat/tomcat-9/v9.0.62/bin/
dev/tomcat/tomcat-9/v9.0.62/bin/README.html
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-deployer.tar.gz   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-deployer.tar.gz.asc   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-deployer.tar.gz.sha512
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-deployer.zip   (with 
props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-deployer.zip.asc   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-deployer.zip.sha512
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-fulldocs.tar.gz   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-fulldocs.tar.gz.asc   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-fulldocs.tar.gz.sha512
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-windows-x64.zip   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-windows-x64.zip.asc   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-windows-x64.zip.sha512
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-windows-x86.zip   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-windows-x86.zip.asc   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62-windows-x86.zip.sha512
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.exe   (with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.exe.asc   (with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.exe.sha512
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz   (with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz.asc   (with 
props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.tar.gz.sha512
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.zip   (with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.zip.asc   (with props)
dev/tomcat/tomcat-9/v9.0.62/bin/apache-tomcat-9.0.62.zip.sha512
dev/tomcat/tomcat-9/v9.0.62/bin/embed/
dev/tomcat/tomcat-9/v9.0.62/bin/embed/apache-tomcat-9.0.62-embed.tar.gz   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/embed/apache-tomcat-9.0.62-embed.tar.gz.asc 
  (with props)

dev/tomcat/tomcat-9/v9.0.62/bin/embed/apache-tomcat-9.0.62-embed.tar.gz.sha512
dev/tomcat/tomcat-9/v9.0.62/bin/embed/apache-tomcat-9.0.62-embed.zip   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/embed/apache-tomcat-9.0.62-embed.zip.asc   
(with props)
dev/tomcat/tomcat-9/v9.0.62/bin/embed/apache-tomcat-9.0.62-embed.zip.sha512
dev/tomcat/tomcat-9/v9.0.62/src/
dev/tomcat/tomcat-9/v9.0.62/src/apache-tomcat-9.0.62-src.tar.gz   (with 
props)
dev/tomcat/tomcat-9/v9.0.62/src/apache-tomcat-9.0.62-src.tar.gz.asc   (with 
props)
dev/tomcat/tomcat-9/v9.0.62/src/apache-tomcat-9.0.62-src.tar.gz.sha512
dev/tomcat/tomcat-9/v9.0.62/src/apache-tomcat-9.0.62-src.zip   (with props)
dev/tomcat/tomcat-9/v9.0.62/src/apache-tomcat-9.0.62-src.zip.asc   (with 
props)
dev/tomcat/tomcat-9/v9.0.62/src/apache-tomcat-9.0.62-src.zip.sha512

Added: dev/tomcat/tomcat-9/v9.0.62/KEYS
==
--- dev/tomcat/tomcat-9/v9.0.62/KEYS (added)
+++ dev/tomcat/tomcat-9/v9.0.62/KEYS Thu Mar 31 14:40:53 2022
@@ -0,0 +1,237 @@
+This file contains the PGP&GPG keys of various Apache developers.
+Please don't use them for email unless you have to. Their main
+purpose is code signing.
+
+Apache users: pgp < KEYS
+Apache developers:
+(pgpk -ll  && pgpk -xa ) >> this file.
+  or
+(gpg --fingerprint --list-sigs 
+ && gpg --armor --export ) >> this file.
+
+Apache developers: please ensure that your key is also available via the
+PGP keyservers (such as pgpkeys.mit.edu).
+
+
+pub   1024D/33C60243 2004-09-12
+  Key fingerprint = DCFD 35E0 BF8C A734 4752  DE8B 6FB2 1E89 33C6 0243
+uid  Mark E D Thomas 
+uid  Mark E D Thomas 
+uid  Mark E D Thomas 
+sub   2048g/0BECE548 2004-09-12
+
+pub   4096R/2F6059E7 2009-09-18
+  Key fingerprint = A9C5 DF4D 22E9 9998 D987  5A51 10C0 1C5A 2F60 59E7
+uid  Mark E D Thomas 
+sub   4096R/5E763BEC 2009-09-18
+
+-BEGIN PGP PUBLIC KEY BLOCK-
+Version: GnuPG v1.4.9 (MingW32)
+
+mQGiBEFEjegRBADocGttfROvtLGrTOW3xRqZHmFWybmEaI6jmnRdN/1gGXmb3wQL
+rHsS3fLFIIOYLPph0Kov9q4qNq36LekShIvjMBDFoj2/wRxaUtFq81asaRZg8Mcw
+4kVeIoe8OIOuWmvYhU8SH2jJNUnVVrpTPAa6QWquTmseNi6UJMjLxuL7DwCg//9u
+k2yj0vk6e4WSO6Fe5+EkQDED/AjQsy0kj9TpNHkKSSUR2evRlWPYA0YtxBSbsgON
+tT0cYipAp5IcYt6Zq5QzHiZreyQXLAjItDS2oGCIXfNbTYJ3kxxJTCU/3wlefV

[tomcat] 01/01: Tag 9.0.62

2022-03-31 Thread remm 
This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to tag 9.0.62
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 85113741042dcce9e9792bdbc3d498172bc31291
Author: remm 
AuthorDate: Thu Mar 31 16:32:15 2022 +0200

Tag 9.0.62
---
 build.properties.default   | 2 +-
 webapps/docs/changelog.xml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index d656418..f74f02d 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -33,7 +33,7 @@ version.major=9
 version.minor=0
 version.build=62
 version.patch=0
-version.suffix=-dev
+version.suffix=
 
 # - Reproducible builds -
 # Uncomment and set to current time for reproducible builds
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f6b43e9..0340ca0 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,7 +104,7 @@
   They eventually become mixed with the numbered issues (i.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
   
 
   
@@ -116,7 +116,7 @@
 
   
 
-
+
   
 
   

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] tag 9.0.62 created (now 8511374)

2022-03-31 Thread remm 
This is an automated email from the ASF dual-hosted git repository.

remm pushed a change to tag 9.0.62
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


  at 8511374  (commit)
This tag includes the following new commits:

 new 8511374  Tag 9.0.62

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 01/01: Tag 10.0.20

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to tag 10.0.20
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 2a46c651529a9d237b4d6beb1ef846922d949342
Author: Mark Thomas 
AuthorDate: Thu Mar 31 15:21:35 2022 +0100

Tag 10.0.20
---
 build.properties.default   | 2 +-
 webapps/docs/changelog.xml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index a5f9dc3..56590fc 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -33,7 +33,7 @@ version.major=10
 version.minor=0
 version.build=20
 version.patch=0
-version.suffix=-dev
+version.suffix=
 
 # - Reproducible builds -
 # Uncomment and set to current time for reproducible builds
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 512eec7..3d6330d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,7 +104,7 @@
   They eventually become mixed with the numbered issues (i.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
   
 
   
@@ -116,7 +116,7 @@
 
   
 
-
+
   
 
   

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] tag 10.0.20 created (now 2a46c65)

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to tag 10.0.20
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


  at 2a46c65  (commit)
This tag includes the following new commits:

 new 2a46c65  Tag 10.0.20

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] branch 9.0.x updated: Update repeatable build timestamp (currently unused)

2022-03-31 Thread Konstantin Kolinko 
чт, 31 мар. 2022 г. в 16:38, :
>
> This is an automated email from the ASF dual-hosted git repository.
>
> remm pushed a commit to branch 9.0.x
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/9.0.x by this push:
>  new ccbd0fd  Update repeatable build timestamp (currently unused)
> ccbd0fd is described below
>
> commit ccbd0fddff25d00655206054ffd426f0323eca07
> Author: remm 
> AuthorDate: Thu Mar 31 15:37:25 2022 +0200
>
> Update repeatable build timestamp (currently unused)
> ---
>  build.properties.default | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/build.properties.default b/build.properties.default
> index a8db96f..d656418 100644
> --- a/build.properties.default
> +++ b/build.properties.default
> @@ -38,8 +38,8 @@ version.suffix=-dev
>  # - Reproducible builds -
>  # Uncomment and set to current time for reproducible builds
>  # Note: The value is in seconds (unlike milliseconds used by 
> System.currentTimeMillis()).
> -#2022-03-30T00:00:00Z
> -#ant.tstamp.now=1648598400
> ++#2022-03-31T12:00:00Z
> ++#ant.tstamp.now=1648728000

Note doubled "++"
There are leading "+" on those lines.



Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 10.1.0-M14

2022-03-31 Thread Rémy Maucherat 
On Thu, Mar 31, 2022 at 3:58 PM Mark Thomas  wrote:
>
> The proposed Apache Tomcat 10.1.0-M14 release is now available for
> voting.
>
> Applications that run on Tomcat 9 and earlier will not run on Tomcat 10
> without changes. Java EE applications designed for Tomcat 9 and earlier
> may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
> will automatically convert them to Jakarta EE and copy them to the
> webapps directory.
>
> The notable changes compared to 10.1.0-M12 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
>pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
>Thomas Hoffmann.
>
> - Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was
>renamed for Jakarta EE 10)
>
> - Harden the class loader to provide a mitigation for CVE-2022-22965
>a Spring Framework vulnerability
>
> For full details, see the change log:
> https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M14/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1367
>
> The tag is:
> https://github.com/apache/tomcat/tree/10.1.0-M14
> 02e84c839def0228475fad85d0b19abc2f70b03f
>
>
> The proposed 10.1.0-M14 release is:
> [ ] Broken - do not release
> [X] Alpha - go ahead and release as 10.1.0-M14 (alpha)

Rémy

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r53481 - in /dev/tomcat/tomcat-10/v10.1.0-M14: ./ bin/ bin/embed/ src/

2022-03-31 Thread Konstantin Kolinko 
чт, 31 мар. 2022 г. в 16:56, :
>
> Author: markt
> Date: Thu Mar 31 13:56:26 2022
> New Revision: 53481
>
> Log:
> Upload 10.1.0-M14 for voting
>
> Added:
> dev/tomcat/tomcat-10/v10.1.0-M14/
> dev/tomcat/tomcat-10/v10.1.0-M14/KEYS
> dev/tomcat/tomcat-10/v10.1.0-M14/README.html
> dev/tomcat/tomcat-10/v10.1.0-M14/RELEASE-NOTES
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/README.html
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.tar.gz 
>   (with props)
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.tar.gz.asc
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.tar.gz.sha512
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.zip   
> (with props)
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.zip.asc
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.zip.sha512
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-fulldocs.tar.gz 
>   (with props)
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-fulldocs.tar.gz.asc
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-fulldocs.tar.gz.sha512
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x64.zip 
>   (with props)
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x64.zip.asc
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x64.zip.sha512
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x86.zip 
>   (with props)
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x86.zip.asc
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x86.zip.sha512
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.exe   (with 
> props)
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.exe.asc
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.exe.sha512
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.tar.gz   
> (with props)
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.tar.gz.sha512
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.zip   (with 
> props)
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.zip.sha512

Mark,
note that *,asc files are missing for the above two archives.

> dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.tar.gz
>(with props)
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.tar.gz.asc
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.tar.gz.sha512
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.zip 
>   (with props)
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.zip.asc
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.zip.sha512
> dev/tomcat/tomcat-10/v10.1.0-M14/src/
> dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.tar.gz  
>  (with props)
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.tar.gz.asc
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.tar.gz.sha512
> dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.zip   
> (with props)
> dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.zip.asc
> 
> dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.zip.sha512
>

(diffs skipped)

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 10.1.0-M14

2022-03-31 Thread Mark Thomas 

On 31/03/2022 14:57, Mark Thomas wrote:


The proposed 10.1.0-M14 release is:
[ ] Broken - do not release
[X] Alpha - go ahead and release as 10.1.0-M14 (alpha)


Tests pass on Linux, Windows and MacOS

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[VOTE] Release Apache Tomcat 10.1.0-M14

2022-03-31 Thread Mark Thomas 

The proposed Apache Tomcat 10.1.0-M14 release is now available for
voting.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


The notable changes compared to 10.1.0-M12 are:

- Update the packaged version of the Tomcat Native Library to 1.2.32 to
  pick up Windows binaries built with OpenSSL 1.1.1n.

- Improve logging of unknown HTTP/2 settings frames. Pull request by
  Thomas Hoffmann.

- Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was
  renamed for Jakarta EE 10)

- Harden the class loader to provide a mitigation for CVE-2022-22965
  a Spring Framework vulnerability

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M14/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1367

The tag is:
https://github.com/apache/tomcat/tree/10.1.0-M14
02e84c839def0228475fad85d0b19abc2f70b03f


The proposed 10.1.0-M14 release is:
[ ] Broken - do not release
[ ] Alpha - go ahead and release as 10.1.0-M14 (alpha)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r53481 - in /dev/tomcat/tomcat-10/v10.1.0-M14: ./ bin/ bin/embed/ src/

2022-03-31 Thread markt 
Author: markt
Date: Thu Mar 31 13:56:26 2022
New Revision: 53481

Log:
Upload 10.1.0-M14 for voting

Added:
dev/tomcat/tomcat-10/v10.1.0-M14/
dev/tomcat/tomcat-10/v10.1.0-M14/KEYS
dev/tomcat/tomcat-10/v10.1.0-M14/README.html
dev/tomcat/tomcat-10/v10.1.0-M14/RELEASE-NOTES
dev/tomcat/tomcat-10/v10.1.0-M14/bin/
dev/tomcat/tomcat-10/v10.1.0-M14/bin/README.html

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.tar.gz   
(with props)

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.tar.gz.asc

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.tar.gz.sha512
dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.zip  
 (with props)

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.zip.asc

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-deployer.zip.sha512

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-fulldocs.tar.gz   
(with props)

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-fulldocs.tar.gz.asc

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-fulldocs.tar.gz.sha512

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x64.zip   
(with props)

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x64.zip.asc

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x64.zip.sha512

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x86.zip   
(with props)

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x86.zip.asc

dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14-windows-x86.zip.sha512
dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.exe   (with 
props)
dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.exe.asc
dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.exe.sha512
dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.tar.gz   
(with props)
dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.tar.gz.sha512
dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.zip   (with 
props)
dev/tomcat/tomcat-10/v10.1.0-M14/bin/apache-tomcat-10.1.0-M14.zip.sha512
dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/

dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.tar.gz
   (with props)

dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.tar.gz.asc

dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.tar.gz.sha512

dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.zip   
(with props)

dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.zip.asc

dev/tomcat/tomcat-10/v10.1.0-M14/bin/embed/apache-tomcat-10.1.0-M14-embed.zip.sha512
dev/tomcat/tomcat-10/v10.1.0-M14/src/
dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.tar.gz   
(with props)
dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.tar.gz.asc

dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.tar.gz.sha512
dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.zip   
(with props)
dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.zip.asc
dev/tomcat/tomcat-10/v10.1.0-M14/src/apache-tomcat-10.1.0-M14-src.zip.sha512

Added: dev/tomcat/tomcat-10/v10.1.0-M14/KEYS
==
--- dev/tomcat/tomcat-10/v10.1.0-M14/KEYS (added)
+++ dev/tomcat/tomcat-10/v10.1.0-M14/KEYS Thu Mar 31 13:56:26 2022
@@ -0,0 +1,453 @@
+This file contains the PGP&GPG keys of various Apache developers.
+Please don't use them for email unless you have to. Their main
+purpose is code signing.
+
+Apache users: pgp < KEYS
+Apache developers:
+(pgpk -ll  && pgpk -xa ) >> this file.
+  or
+(gpg --fingerprint --list-sigs 
+ && gpg --armor --export ) >> this file.
+
+Apache developers: please ensure that your key is also available via the
+PGP keyservers (such as pgpkeys.mit.edu).
+
+
+pub   4096R/2F6059E7 2009-09-18
+  Key fingerprint = A9C5 DF4D 22E9 9998 D987  5A51 10C0 1C5A 2F60 59E7
+uid  Mark E D Thomas 
+sub   4096R/5E763BEC 2009-09-18
+
+-BEGIN PGP PUBLIC KEY BLOCK-
+Comment: GPGTools - http://gpgtools.org
+
+mQINBEq0DukBEAD4jovHOPJDxoD+JnO1Go2kiwpgRULasGlrVKuSUdP6wzcaqWmX
+pqtOJKKwW2MQFQLmg7nQ9RjJwy3QCbKNDJQA/bwbQT1F7WzTCz2S6vxC4zxKck4t
+6RZBq2dJsYKF0CEh6ZfY4dmKvhq+3istSoFRdHYoOPGWZpuRDqfZPdGm/m335/6K
+GH59oysn1NE7a2a+kZzjBSEgv23+l4Z1Rg7+fpz1JcdHSdC2Z+ZRxML25eVatRVz
+4yvDOZItqDURP24zWOodxgboldV6Y88C3v/7KRR+1vklzkuA2FqF8Q4r/2f0su7M
+UVviQcy29y/RlLSDTTYoVlCZ1ni14qFU7Hpw43KJtgXmcUwq31T1+SlXdYjNJ1aF
+kUi8BjCHDcSgE/IReKUanjHzm4XSymKDTeqqzidi4k6PDD4jyHb8k8vxi6qT6Udn
+lcfo5NBkkUT1TauhEy8ktHhbl9k60BvvMBP9l6cURiJg1WS77e

[tomcat] branch 9.0.x updated: Update repeatable build timestamp (currently unused)

2022-03-31 Thread remm 
This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new ccbd0fd  Update repeatable build timestamp (currently unused)
ccbd0fd is described below

commit ccbd0fddff25d00655206054ffd426f0323eca07
Author: remm 
AuthorDate: Thu Mar 31 15:37:25 2022 +0200

Update repeatable build timestamp (currently unused)
---
 build.properties.default | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index a8db96f..d656418 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -38,8 +38,8 @@ version.suffix=-dev
 # - Reproducible builds -
 # Uncomment and set to current time for reproducible builds
 # Note: The value is in seconds (unlike milliseconds used by 
System.currentTimeMillis()).
-#2022-03-30T00:00:00Z
-#ant.tstamp.now=1648598400
++#2022-03-31T12:00:00Z
++#ant.tstamp.now=1648728000
 
 # - Source control flags -
 git.branch=9.0.x

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 10.0.x updated: Update repeatable build timestamp (currently unused)

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
 new a7a040e  Update repeatable build timestamp (currently unused)
a7a040e is described below

commit a7a040eaccdbcaf436930544415e4c43c7518285
Author: Mark Thomas 
AuthorDate: Thu Mar 31 13:48:48 2022 +0100

Update repeatable build timestamp (currently unused)
---
 build.properties.default | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index faf6523..a5f9dc3 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -38,8 +38,8 @@ version.suffix=-dev
 # - Reproducible builds -
 # Uncomment and set to current time for reproducible builds
 # Note: The value is in seconds (unlike milliseconds used by 
System.currentTimeMillis()).
-#2022-03-30T00:00:00Z
-#ant.tstamp.now=1648598400
+#2022-03-31T12:00:00Z
+#ant.tstamp.now=1648728000
 
 # - Source control flags -
 git.branch=10.0.x

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] tag 10.1.0-M14 created (now 02e84c8)

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to tag 10.1.0-M14
in repository https://gitbox.apache.org/repos/asf/tomcat.git.


  at 02e84c8  (commit)
This tag includes the following new commits:

 new 02e84c8  Tag 10.1.0-M14

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] 01/01: Tag 10.1.0-M14

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to tag 10.1.0-M14
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 02e84c839def0228475fad85d0b19abc2f70b03f
Author: Mark Thomas 
AuthorDate: Thu Mar 31 14:24:11 2022 +0100

Tag 10.1.0-M14
---
 build.properties.default   | 2 +-
 webapps/docs/changelog.xml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index 68bcf72..90cd818 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -33,7 +33,7 @@ version.major=10
 version.minor=1
 version.build=0
 version.patch=0
-version.suffix=-M14-dev
+version.suffix=-M14
 
 # - Reproducible builds -
 # Uncomment and set to current time for reproducible builds
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index cb82a40..482c363 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,7 +104,7 @@
   They eventually become mixed with the numbered issues (i.e., numbered
   issues do not "pop up" wrt. others).
 -->
-
+
   
 
   
@@ -121,7 +121,7 @@
 
   
 
-
+
   
 
   

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch main updated: Update repeatable build timestamp (currently unused)

2022-03-31 Thread markt 
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new a29499c  Update repeatable build timestamp (currently unused)
a29499c is described below

commit a29499c18b311f1c314afc6798840631f0a3d876
Author: Mark Thomas 
AuthorDate: Thu Mar 31 13:48:48 2022 +0100

Update repeatable build timestamp (currently unused)
---
 build.properties.default | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.properties.default b/build.properties.default
index 4c3bc21..68bcf72 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -38,8 +38,8 @@ version.suffix=-M14-dev
 # - Reproducible builds -
 # Uncomment and set to current time for reproducible builds
 # Note: The value is in seconds (unlike milliseconds used by 
System.currentTimeMillis()).
-#2022-03-30T00:00:00Z
-#ant.tstamp.now=1648598400
+#2022-03-31T12:00:00Z
+#ant.tstamp.now=1648728000
 
 # - Source control flags -
 git.branch=main

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [Bug 65736] Improve org.apache.naming.factory.BeanFactory to mitigate JNDI injection

2022-03-31 Thread Mark Thomas 

Ping.

On the topic of hardening, how far back do we want to do with this?

Mark


On 30/03/2022 12:41, bugzi...@apache.org wrote:

https://bz.apache.org/bugzilla/show_bug.cgi?id=65736

--- Comment #11 from Mark Thomas  ---
I've implemented this alternative approach for 10.1.x. It isn't as generic as
forceString but it is sufficient to meet the original requirement.

Two questions:
1. Should we back-port this? If so, how far?

2. Do we want to expand conversion so if the setter is for Type T that we can't
convert and T has a constructor T(String) we use that constructor to create an
instance of T and then pass that to the setter?



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Mark Thomas 




On 31/03/2022 12:25, Rémy Maucherat wrote:

On Thu, Mar 31, 2022 at 1:16 PM Mark Thomas  wrote:


On 31/03/2022 11:48, Rémy Maucherat wrote:

On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas  wrote:


Hi all,

My recent hardening fix to the class loader [1] provides mitigation for
a current Spring vulnerability [2].

While this is a Spring vulnerability, it may be the case for some users
that updating Tomcat is an easier mitigation path that updating Spring.
What are the community thoughts on cancelling the current releases,
re-tagging and releasing reasonably quickly?


Possibly ok but only if the new tag is "immediately" rather than "quickly".


I could start 10.1.x and 10.0.x in the next couple of hours. I can also
cover 8.5.x if Chris isn't available.


+1 then. If it is delayed, I will be in trouble ;)


ACK. I'll start now. I'm assuming I'll need to do 8.5.x too for now.

Mark




Rémy


Mark




Rémy



Mark


[1]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc

[2]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Mark Thomas 

On 31/03/2022 12:33, Konstantin Kolinko wrote:

чт, 31 мар. 2022 г. в 12:52, Mark Thomas :


Hi all,

My recent hardening fix to the class loader [1] provides mitigation for
a current Spring vulnerability [2].

While this is a Spring vulnerability, it may be the case for some users
that updating Tomcat is an easier mitigation path that updating Spring.
What are the community thoughts on cancelling the current releases,
re-tagging and releasing reasonably quickly?

[1]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc

[2]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc


Regarding [2] I think that you meant
https://tanzu.vmware.com/security/cve-2022-22963


No. This is a different issue.


I found this article with more details:

[3] 
https://securityonline.info/cve-2022-22963-spring-java-framework-0-day-remote-code-execution-vulerability-alert/


That article is, unfortunately, mixing information from multiple issues.


So we now have "setResources(WebResourceRoot)"
without accompanying "getResources()" ...


Correct. But we never call getResources() so...


1. I think that we can roll two votes in parallel, without cancelling
the old one.
So that in case getResources() is used somewhere, one could use the
"old" release.


True. It is slightly more work to run the existing releases to 
completion rather than cancelling them but I can do that if that is the 
consensus opinion. Personally, I'm happy with either option cancel or 
continue. We have a little time so we can discuss this and decide what 
to do while the votes run.



Essentially it is not our vulnerability. Nothing is broken with the
current RCs to cancel them.


Correct.


2. I do not know about the actual attack POC, but I note that there
are other public methods, and setters on the classloader.


I have more detail via $dayjob but I'm not going to disclose anything 
that isn't already public.


I've reviewed the other public setters and the level of risk with those 
methods looks to be much lower.



[3] talks that some setters were called.

  I see no way to remove it or protect some of those methods with a
security manager,
as they are part of the public API,
as I see no way to distinguish it from a proper call by the application.


Agreed.


So I think it is up to EL to close access to object -> getClass() ->
getClassLoader() -> ...
It is not really our issue.


Agreed this isn't our issue but the PoC is leveraging Tomcat code so if 
we can block it without breaking anything (which I think we can) then 
doing so gives end users an alternative option to mitigate the issue.


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.61

2022-03-31 Thread Coty Sutherland 
On Wed, Mar 30, 2022 at 4:22 AM Rémy Maucherat  wrote:

> The proposed Apache Tomcat 9.0.61 release is now available for voting.
>
> The notable changes compared to 9.0.60 are:
>
> - Fix a potential thread-safety issue that could cause HTTP/1.1 request
>processing to pause, and potentially timeout, waiting for additional
>data when the full request has been received.
>
> - Fix a regression introduced with 65757 bugfix which better identified
>non request threads but which introduced a similar problem when user
>code was doing sequential operations in a single thread.
>
> - When resolving methods in EL expressions that use beans and/or static
>fields, ensure that any custom type conversion is considered when
>identifying the method to call.
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-9.0.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.61/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1366
> The tag is:
> https://github.com/apache/tomcat/tree/9.0.61
> 6c6432ac1416ed369f892b9ce76e10c7eb10b91c
>
> The proposed 9.0.61 release is:
> [ ] Broken - do not release
> [x] Stable - go ahead and release as 9.0.61 (stable)
>

+1


> Rémy
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Konstantin Kolinko 
чт, 31 мар. 2022 г. в 12:52, Mark Thomas :
>
> Hi all,
>
> My recent hardening fix to the class loader [1] provides mitigation for
> a current Spring vulnerability [2].
>
> While this is a Spring vulnerability, it may be the case for some users
> that updating Tomcat is an easier mitigation path that updating Spring.
> What are the community thoughts on cancelling the current releases,
> re-tagging and releasing reasonably quickly?
>
> [1]
> https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
>
> [2]
> https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc

Regarding [2] I think that you meant
https://tanzu.vmware.com/security/cve-2022-22963

I found this article with more details:

[3] 
https://securityonline.info/cve-2022-22963-spring-java-framework-0-day-remote-code-execution-vulerability-alert/

So we now have "setResources(WebResourceRoot)"
without accompanying "getResources()" ...


1. I think that we can roll two votes in parallel, without cancelling
the old one.
So that in case getResources() is used somewhere, one could use the
"old" release.

Essentially it is not our vulnerability. Nothing is broken with the
current RCs to cancel them.


2. I do not know about the actual attack POC, but I note that there
are other public methods, and setters on the classloader.

[3] talks that some setters were called.

 I see no way to remove it or protect some of those methods with a
security manager,
as they are part of the public API,
as I see no way to distinguish it from a proper call by the application.

So I think it is up to EL to close access to object -> getClass() ->
getClassLoader() -> ...
It is not really our issue.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Rémy Maucherat 
On Thu, Mar 31, 2022 at 1:16 PM Mark Thomas  wrote:
>
> On 31/03/2022 11:48, Rémy Maucherat wrote:
> > On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas  wrote:
> >>
> >> Hi all,
> >>
> >> My recent hardening fix to the class loader [1] provides mitigation for
> >> a current Spring vulnerability [2].
> >>
> >> While this is a Spring vulnerability, it may be the case for some users
> >> that updating Tomcat is an easier mitigation path that updating Spring.
> >> What are the community thoughts on cancelling the current releases,
> >> re-tagging and releasing reasonably quickly?
> >
> > Possibly ok but only if the new tag is "immediately" rather than "quickly".
>
> I could start 10.1.x and 10.0.x in the next couple of hours. I can also
> cover 8.5.x if Chris isn't available.

+1 then. If it is delayed, I will be in trouble ;)

Rémy

> Mark
>
>
> >
> > Rémy
> >
> >
> >> Mark
> >>
> >>
> >> [1]
> >> https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
> >>
> >> [2]
> >> https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
> >>
> >> -
> >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: dev-h...@tomcat.apache.org
> >>
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: dev-h...@tomcat.apache.org
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Mark Thomas 

On 31/03/2022 11:48, Rémy Maucherat wrote:

On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas  wrote:


Hi all,

My recent hardening fix to the class loader [1] provides mitigation for
a current Spring vulnerability [2].

While this is a Spring vulnerability, it may be the case for some users
that updating Tomcat is an easier mitigation path that updating Spring.
What are the community thoughts on cancelling the current releases,
re-tagging and releasing reasonably quickly?


Possibly ok but only if the new tag is "immediately" rather than "quickly".


I could start 10.1.x and 10.0.x in the next couple of hours. I can also 
cover 8.5.x if Chris isn't available.


Mark




Rémy



Mark


[1]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc

[2]
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Rémy Maucherat 
On Thu, Mar 31, 2022 at 11:52 AM Mark Thomas  wrote:
>
> Hi all,
>
> My recent hardening fix to the class loader [1] provides mitigation for
> a current Spring vulnerability [2].
>
> While this is a Spring vulnerability, it may be the case for some users
> that updating Tomcat is an easier mitigation path that updating Spring.
> What are the community thoughts on cancelling the current releases,
> re-tagging and releasing reasonably quickly?

Possibly ok but only if the new tag is "immediately" rather than "quickly".

Rémy


> Mark
>
>
> [1]
> https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
>
> [2]
> https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.61

2022-03-31 Thread Mark Thomas 

On 30/03/2022 09:21, Rémy Maucherat wrote:


The proposed 9.0.61 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 9.0.61 (stable)


tests pass on Linux, Windows and MacOS.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re-rolling releases to pick up class loader hardening

2022-03-31 Thread Mark Thomas 

Hi all,

My recent hardening fix to the class loader [1] provides mitigation for 
a current Spring vulnerability [2].


While this is a Spring vulnerability, it may be the case for some users 
that updating Tomcat is an easier mitigation path that updating Spring. 
What are the community thoughts on cancelling the current releases, 
re-tagging and releasing reasonably quickly?


Mark


[1] 
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc


[2] 
https://github.com/apache/tomcat/commit/1abcf3f4d741c824ae490009fe32ce300f10eddc


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 10.0.19

2022-03-31 Thread Mark Thomas 

On 30/03/2022 00:49, Mark Thomas wrote:


The proposed 10.0.19 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 10.0.19 (stable)


Unit tests pass on Linux, Windows and MacOS.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 10.1.0-M13

2022-03-31 Thread Mark Thomas 

On 30/03/2022 00:06, Mark Thomas wrote:


The proposed 10.1.0-M13 release is:
[ ] Broken - do not release
[X] Alpha - go ahead and release as 10.1.0-M13 (alpha)


Unit tests pass on Linux, Windows and MacOS.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 10.0.19

2022-03-31 Thread Rémy Maucherat 
On Wed, Mar 30, 2022 at 1:50 AM Mark Thomas  wrote:
>
> The proposed Apache Tomcat 10.0.19 release is now available for
> voting.
>
> Apache Tomcat 10.0.x implements Jakarta EE 9 and, as such, the primary
> package for all the specification APIs has changed from javax.* to jakarta.*
>
> Applications that run on Tomcat 9 will not run on Tomcat 10 without
> changes. Java EE applications designed for Tomcat 9 and earlier may be
> placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will
> automatically convert them to Jakarta EE and copy them to the webapps
> directory
>
> The notable changes compared to 10.0.18 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
>pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
>Thomas Hoffmann.
>
> - Add additional warnings if incompatible TLS configurations are used
>such as HTTP/2 with CLIENT-CERT authentication
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-10.0.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.0.19/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1365
>
> The tag is:
> https://github.com/apache/tomcat/tree/10.0.19
> 0b4fe866e5a4e06481e5019be9468e10790647ba
>
> The proposed 10.0.19 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 10.0.19 (stable)

Rémy

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 10.1.0-M13

2022-03-31 Thread Rémy Maucherat 
On Wed, Mar 30, 2022 at 1:06 AM Mark Thomas  wrote:
>
> The proposed Apache Tomcat 10.1.0-M13 release is now available for
> voting.
>
> Applications that run on Tomcat 9 and earlier will not run on Tomcat 10
> without changes. Java EE applications designed for Tomcat 9 and earlier
> may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
> will automatically convert them to Jakarta EE and copy them to the
> webapps directory.
>
> The notable changes compared to 10.1.0-M12 are:
>
> - Update the packaged version of the Tomcat Native Library to 1.2.32 to
>pick up Windows binaries built with OpenSSL 1.1.1n.
>
> - Improve logging of unknown HTTP/2 settings frames. Pull request by
>Thomas Hoffmann.
>
> - Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was
>renamed for Jakarta EE 10)
>
> For full details, see the change log:
> https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M13/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1364
>
> The tag is:
> https://github.com/apache/tomcat/tree/10.1.0-M13
> faa2582152d9dcbcb444700df340e10a85fc375f
>
>
> The proposed 10.1.0-M13 release is:
> [ ] Broken - do not release
> [X] Alpha - go ahead and release as 10.1.0-M13 (alpha)

Rémy

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org