Re: [VOTE] Release Apache Tomcat 10.1.0-M14
Am 31.03.22 um 15:57 schrieb Mark Thomas: The proposed Apache Tomcat 10.1.0-M14 release is now available for voting. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. The notable changes compared to 10.1.0-M12 are: - Update the packaged version of the Tomcat Native Library to 1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n. - Improve logging of unknown HTTP/2 settings frames. Pull request by Thomas Hoffmann. - Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was renamed for Jakarta EE 10) - Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M14/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1367 The tag is: https://github.com/apache/tomcat/tree/10.1.0-M14 02e84c839def0228475fad85d0b19abc2f70b03f The proposed 10.1.0-M14 release is: [ ] Broken - do not release [x] Alpha - go ahead and release as 10.1.0-M14 (alpha) unit test run on Java 11 and Linux Felix - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org OpenPGP_0xEA6C3728EA91C4AF.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
Re: [VOTE] Release Apache Tomcat 10.1.0-M14
> [X] Alpha - go ahead and release as 10.1.0-M14 (alpha) Ray On Thu, Mar 31, 2022 at 11:13 AM wrote: > Thank you Mark. I know it's not a Tomcat vulnerability, but if the > Hardening mitigates the other, then that had me wondering was all. > > Thanks for the position clarification. > > Dream * Excel * Explore * Inspire > Jon McAlexander > Infrastructure Engineer > Asst Vice President > He/His > > Middleware Product Engineering > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose, or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation. > > > > -Original Message- > > From: Mark Thomas > > Sent: Thursday, March 31, 2022 10:08 AM > > To: dev@tomcat.apache.org > > Subject: Re: [VOTE] Release Apache Tomcat 10.1.0-M14 > > > > On 31/03/2022 15:56, jonmcalexan...@wellsfargo.com.INVALID wrote: > > > Noting the Hardening of the class loader, is this going to require > this to be a > > security release of the newest Tomcat releases (forthcoming), or will > they > > still just be standard releases? > > > > That change does not address a security vulnerability in Apache Tomcat. > > > > There will be no CVE for this change. > > > > We generally use hardening to refer to things that do not address a > > vulnerability but improve the overall security posture. Typically, these > > changes provide additional defense in depth. > > > > In this instance, it mitigates CVE-2022-22965 which is a Spring Framework > > vulnerability. The main purpose of the release is to provide end users > with an > > alternative option if updating Tomcat is simpler than updating the > version of > > Spring they are using. > > > > To provide some context, similar recent hardening changes include: > > > > - Using a constant time algorithm to compare passwords. Analysis showed > >that a timing attack wasn't feasible but we switched now in case it > >became feasible as some point in the future > > > > - We changed the BeanFactory in 10.1.x (and might back-port the change) > >to prevent it from being used if an application has a JNDI injection > >vulnerability > > > > Finally, we will either keep completely silent about security > vulnerabilities > > until they are published or we will be completely open about them up > front > > (e.g. if there is a zero day). > > > > HTH, > > > > Mark > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional > > commands, e-mail: dev-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > -- *Raymond Augé* (@rotty3000) Senior Software Architect *Liferay, Inc.* (@Liferay) OSGi Fellow, Java Champion
RE: [VOTE] Release Apache Tomcat 10.1.0-M14
Thank you Mark. I know it's not a Tomcat vulnerability, but if the Hardening mitigates the other, then that had me wondering was all. Thanks for the position clarification. Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Mark Thomas > Sent: Thursday, March 31, 2022 10:08 AM > To: dev@tomcat.apache.org > Subject: Re: [VOTE] Release Apache Tomcat 10.1.0-M14 > > On 31/03/2022 15:56, jonmcalexan...@wellsfargo.com.INVALID wrote: > > Noting the Hardening of the class loader, is this going to require this to > > be a > security release of the newest Tomcat releases (forthcoming), or will they > still just be standard releases? > > That change does not address a security vulnerability in Apache Tomcat. > > There will be no CVE for this change. > > We generally use hardening to refer to things that do not address a > vulnerability but improve the overall security posture. Typically, these > changes provide additional defense in depth. > > In this instance, it mitigates CVE-2022-22965 which is a Spring Framework > vulnerability. The main purpose of the release is to provide end users with an > alternative option if updating Tomcat is simpler than updating the version of > Spring they are using. > > To provide some context, similar recent hardening changes include: > > - Using a constant time algorithm to compare passwords. Analysis showed >that a timing attack wasn't feasible but we switched now in case it >became feasible as some point in the future > > - We changed the BeanFactory in 10.1.x (and might back-port the change) >to prevent it from being used if an application has a JNDI injection >vulnerability > > Finally, we will either keep completely silent about security vulnerabilities > until they are published or we will be completely open about them up front > (e.g. if there is a zero day). > > HTH, > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional > commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M14
On 31/03/2022 16:05, jonmcalexan...@wellsfargo.com.INVALID wrote: Sorry, just read the thread in tomcat.developers. I don't know about doing in parallel. IT may be best to just supersede to 10.0.20 and 9.0.62 instead of rolling .19 and .61. Less confusion. No problem. I think there is general agreement on the confusion point. For now, we are leaving the earlier release votes open just to give us options if (as unlikely that it is) something goes wrong with the later releases. My current expectation is that, assuming the new votes pass, the older votes will be cancelled when the new votes have passed. Mark Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: jonmcalexan...@wellsfargo.com.INVALID Sent: Thursday, March 31, 2022 9:56 AM To: dev@tomcat.apache.org Subject: RE: [VOTE] Release Apache Tomcat 10.1.0-M14 Noting the Hardening of the class loader, is this going to require this to be a security release of the newest Tomcat releases (forthcoming), or will they still just be standard releases? Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: Mark Thomas Sent: Thursday, March 31, 2022 8:58 AM To: Tomcat Developers List Subject: [VOTE] Release Apache Tomcat 10.1.0-M14 The proposed Apache Tomcat 10.1.0-M14 release is now available for voting. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. The notable changes compared to 10.1.0-M12 are: - Update the packaged version of the Tomcat Native Library to 1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n. - Improve logging of unknown HTTP/2 settings frames. Pull request by Thomas Hoffmann. - Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was renamed for Jakarta EE 10) - Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability For full details, see the change log: https://urldefense.com/v3/__https://nightlies.apache.org/tomcat/tomcat - 10.1.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXA HCr-s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG49qpLRI$ It can be obtained from: https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/tom c at/tomcat-10/v10.1.0- M14/__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr- s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG6BHBJ-s$ The Maven staging repo is: https://urldefense.com/v3/__https://repository.apache.org/content/repo si tories/orgapachetomcat- 1367__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr- s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG7SAVFwo$ The tag is: https://urldefense.com/v3/__https://github.com/apache/tomcat/tree/10.1. 0-M14__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr- s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhGfLmoUPs$ 02e84c839def0228475fad85d0b19abc2f70b03f The proposed 10.1.0-M14 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 10.1.0-M14 (alpha) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e
Re: [VOTE] Release Apache Tomcat 10.1.0-M14
On 31/03/2022 15:56, jonmcalexan...@wellsfargo.com.INVALID wrote: Noting the Hardening of the class loader, is this going to require this to be a security release of the newest Tomcat releases (forthcoming), or will they still just be standard releases? That change does not address a security vulnerability in Apache Tomcat. There will be no CVE for this change. We generally use hardening to refer to things that do not address a vulnerability but improve the overall security posture. Typically, these changes provide additional defense in depth. In this instance, it mitigates CVE-2022-22965 which is a Spring Framework vulnerability. The main purpose of the release is to provide end users with an alternative option if updating Tomcat is simpler than updating the version of Spring they are using. To provide some context, similar recent hardening changes include: - Using a constant time algorithm to compare passwords. Analysis showed that a timing attack wasn't feasible but we switched now in case it became feasible as some point in the future - We changed the BeanFactory in 10.1.x (and might back-port the change) to prevent it from being used if an application has a JNDI injection vulnerability Finally, we will either keep completely silent about security vulnerabilities until they are published or we will be completely open about them up front (e.g. if there is a zero day). HTH, Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: [VOTE] Release Apache Tomcat 10.1.0-M14
Sorry, just read the thread in tomcat.developers. I don't know about doing in parallel. IT may be best to just supersede to 10.0.20 and 9.0.62 instead of rolling .19 and .61. Less confusion. Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: jonmcalexan...@wellsfargo.com.INVALID > > Sent: Thursday, March 31, 2022 9:56 AM > To: dev@tomcat.apache.org > Subject: RE: [VOTE] Release Apache Tomcat 10.1.0-M14 > > Noting the Hardening of the class loader, is this going to require this to be > a > security release of the newest Tomcat releases (forthcoming), or will they > still just be standard releases? > > Thanks, > > Dream * Excel * Explore * Inspire > Jon McAlexander > Infrastructure Engineer > Asst Vice President > He/His > > Middleware Product Engineering > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you > for your cooperation. > > > > -Original Message- > > From: Mark Thomas > > Sent: Thursday, March 31, 2022 8:58 AM > > To: Tomcat Developers List > > Subject: [VOTE] Release Apache Tomcat 10.1.0-M14 > > > > The proposed Apache Tomcat 10.1.0-M14 release is now available for > voting. > > > > Applications that run on Tomcat 9 and earlier will not run on Tomcat > > 10 without changes. Java EE applications designed for Tomcat 9 and > > earlier may be placed in the $CATALINA_BASE/webapps-javaee directory > > and Tomcat will automatically convert them to Jakarta EE and copy them > > to the webapps directory. > > > > The notable changes compared to 10.1.0-M12 are: > > > > - Update the packaged version of the Tomcat Native Library to 1.2.32 to > >pick up Windows binaries built with OpenSSL 1.1.1n. > > > > - Improve logging of unknown HTTP/2 settings frames. Pull request by > >Thomas Hoffmann. > > > > - Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was > >renamed for Jakarta EE 10) > > > > - Harden the class loader to provide a mitigation for CVE-2022-22965 > >a Spring Framework vulnerability > > > > For full details, see the change log: > > https://urldefense.com/v3/__https://nightlies.apache.org/tomcat/tomcat > > - > 10.1.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXA > > HCr-s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG49qpLRI$ > > > > It can be obtained from: > > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/tom > > c > > at/tomcat-10/v10.1.0- > > M14/__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr- > > s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG6BHBJ-s$ > > > > The Maven staging repo is: > > https://urldefense.com/v3/__https://repository.apache.org/content/repo > > si > > tories/orgapachetomcat- > > 1367__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr- > > s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG7SAVFwo$ > > > > The tag is: > > > https://urldefense.com/v3/__https://github.com/apache/tomcat/tree/10.1. > > 0-M14__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr- > > s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhGfLmoUPs$ > > 02e84c839def0228475fad85d0b19abc2f70b03f > > > > > > The proposed 10.1.0-M14 release is: > > [ ] Broken - do not release > > [ ] Alpha - go ahead and release as 10.1.0-M14 (alpha) > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For > > additional commands, e-mail: dev-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional > commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: [VOTE] Release Apache Tomcat 10.1.0-M14
Noting the Hardening of the class loader, is this going to require this to be a security release of the newest Tomcat releases (forthcoming), or will they still just be standard releases? Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Mark Thomas > Sent: Thursday, March 31, 2022 8:58 AM > To: Tomcat Developers List > Subject: [VOTE] Release Apache Tomcat 10.1.0-M14 > > The proposed Apache Tomcat 10.1.0-M14 release is now available for voting. > > Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 > without changes. Java EE applications designed for Tomcat 9 and earlier may > be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat > will automatically convert them to Jakarta EE and copy them to the webapps > directory. > > The notable changes compared to 10.1.0-M12 are: > > - Update the packaged version of the Tomcat Native Library to 1.2.32 to >pick up Windows binaries built with OpenSSL 1.1.1n. > > - Improve logging of unknown HTTP/2 settings frames. Pull request by >Thomas Hoffmann. > > - Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was >renamed for Jakarta EE 10) > > - Harden the class loader to provide a mitigation for CVE-2022-22965 >a Spring Framework vulnerability > > For full details, see the change log: > https://urldefense.com/v3/__https://nightlies.apache.org/tomcat/tomcat- > 10.1.x/docs/changelog.html__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXA > HCr-s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG49qpLRI$ > > It can be obtained from: > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/tomc > at/tomcat-10/v10.1.0- > M14/__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr- > s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG6BHBJ-s$ > > The Maven staging repo is: > https://urldefense.com/v3/__https://repository.apache.org/content/reposi > tories/orgapachetomcat- > 1367__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr- > s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhG7SAVFwo$ > > The tag is: > https://urldefense.com/v3/__https://github.com/apache/tomcat/tree/10.1. > 0-M14__;!!F9svGWnIaVPGSwU!8mSg3B7bwW3JnbXXAHCr- > s8j6bZCdu7KDUxw0l3wJQ8OI_ns3yIc_U-_KVbJQJhGfLmoUPs$ > 02e84c839def0228475fad85d0b19abc2f70b03f > > > The proposed 10.1.0-M14 release is: > [ ] Broken - do not release > [ ] Alpha - go ahead and release as 10.1.0-M14 (alpha) > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M14
On Thu, Mar 31, 2022 at 3:58 PM Mark Thomas wrote: > > The proposed Apache Tomcat 10.1.0-M14 release is now available for > voting. > > Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 > without changes. Java EE applications designed for Tomcat 9 and earlier > may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat > will automatically convert them to Jakarta EE and copy them to the > webapps directory. > > The notable changes compared to 10.1.0-M12 are: > > - Update the packaged version of the Tomcat Native Library to 1.2.32 to >pick up Windows binaries built with OpenSSL 1.1.1n. > > - Improve logging of unknown HTTP/2 settings frames. Pull request by >Thomas Hoffmann. > > - Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was >renamed for Jakarta EE 10) > > - Harden the class loader to provide a mitigation for CVE-2022-22965 >a Spring Framework vulnerability > > For full details, see the change log: > https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html > > It can be obtained from: > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M14/ > > The Maven staging repo is: > https://repository.apache.org/content/repositories/orgapachetomcat-1367 > > The tag is: > https://github.com/apache/tomcat/tree/10.1.0-M14 > 02e84c839def0228475fad85d0b19abc2f70b03f > > > The proposed 10.1.0-M14 release is: > [ ] Broken - do not release > [X] Alpha - go ahead and release as 10.1.0-M14 (alpha) Rémy - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.0-M14
On 31/03/2022 14:57, Mark Thomas wrote: The proposed 10.1.0-M14 release is: [ ] Broken - do not release [X] Alpha - go ahead and release as 10.1.0-M14 (alpha) Tests pass on Linux, Windows and MacOS Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[VOTE] Release Apache Tomcat 10.1.0-M14
The proposed Apache Tomcat 10.1.0-M14 release is now available for voting. Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. The notable changes compared to 10.1.0-M12 are: - Update the packaged version of the Tomcat Native Library to 1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n. - Improve logging of unknown HTTP/2 settings frames. Pull request by Thomas Hoffmann. - Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was renamed for Jakarta EE 10) - Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability For full details, see the change log: https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.0-M14/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1367 The tag is: https://github.com/apache/tomcat/tree/10.1.0-M14 02e84c839def0228475fad85d0b19abc2f70b03f The proposed 10.1.0-M14 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 10.1.0-M14 (alpha) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
