On 10/6/2023 10:52 AM, Nick Couchman wrote:
On Fri, Oct 6, 2023 at 1:27 PM Rihab Kasim <[email protected]> wrote:
Can we do it by ourselves? Is it possible? If not when we can expect the
changes . Since upgrade to Tomcat 10+ is recommended due to some
vulnerabilities.
Yes, you can definitely do it yourself - if you're going to undertake it,
though, I'd recommend that you consider contributing the effort back to the
community via a pull request against the Jira issue that I mentioned. There
are several other folks who have asked about it, so there are many others
who would benefit from that work.
https://guacamole.apache.org/open-source/
Also, beware that the primary factor in the complexity of this is
maintaining compatibility. The easy route (simply replace all javax.*
with jakarta.*) will result in breaking changes to the extension API,
and even some third-party dependencies may not be compatible without
updates that may not yet have occurred.
It's not correct that there is a need to upgrade to Tomcat 10+ due to
vulnerabilities. As Nick mentioned earlier in the thread, Tomcat 9.0.x
is actively developed and supported (latest release was 9.0.80 on
2023-08-25). If a security issue is discovered with Tomcat 9.0.x, the
Tomcat security team should address it as they would with any
actively-supported Tomcat release.
See:
https://tomcat.apache.org/whichversion.html
https://tomcat.apache.org/security-9.html
https://tomcat.apache.org/download-90.cgi
- Mike
