tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Tagging 9.0.x and 8.5.x
Date Mon, 08 Jan 2018 09:42:14 GMT
On 08/01/18 09:31, Konstantin Kolinko wrote:
> 2018-01-04 23:42 GMT+03:00 Mark Thomas <markt@apache.org>:
>> Hi all,
>>
>> It is the start of a new month and the open issue list looks to be clear
>> so I'm planning on tagging 9.0.x and 8.5.x early next week.
> 
> Is there a need for a new Tomcat-Native build for Windows,
> to update to OpenSSL 1.0.2n (released 2017-12-07).
> 
> Tomcat Native 1.2.16 (released 2017-11-20) is built with 1.0.2m,
> 
> https://www.openssl.org/news/newslog.html
> 
> Generally, I think that CVE-2017-3737 does not affect us, as I read it that it
> relies on an application ignoring a fatal error from a handshake and
> continuing to read data,
> and I think that Tomcat won't ignore a fatal handshake error.

I concur. I wasn't planning on a Tomcat-Native release.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message