Hi Michael, Good question. If you are using the embedded Tomcat (provided by Spring Boot and introduced in DSpace 8), then you should be able to tell Spring Boot to build with a different version by specifying this property in your Parent POM (the root "pom.xml" in the src folder):
<tomcat.version>10.1.39</tomcat.version> This setting would go in the "<properties>" section alongside all the other version tags that DSpace uses during the build process: https://github.com/DSpace/DSpace/blob/dspace-8.1/pom.xml#L19 Alternatively, if you are running DSpace 8.1 already, you could updated the existing "spring-boot.version" setting to be: "<spring-boot.version>3.4.3</spring-boot.version>", as that will also pull in a fixed version of Tomcat 10.1.x. (I'm not sure that change will work with an 8.0 installation though, because it used an older version of Spring Boot.) After making either of these changes to your pom.xml, you would need to rebuild your DSpace installation, at which point Spring Boot should pull in an updated version of Tomcat. Tim On Tuesday, March 18, 2025 at 11:52:41 AM UTC-5 Michael Plate wrote: > Hi Tim, > > thanks for the information. > What about those of us running the embedded version in server-boot.jar - > looking at the logs ours tells > > 2025-03-18 17:35:00,130 INFO unknown unknown > org.apache.catalina.core.StandardEngine @ Starting Servlet engine: > [Apache Tomcat/10.1.24] > > Version seems to be 10.1.24 . Presumably we do need to rebuild ? > My maven repo contains this: > > .m2/repository/org/apache/tomcat/embed/tomcat-embed-core/ > 10.1.24 9.0.75 > > Cleaning the maven repo and rebuilding did not update to anything newer > than 10.1.24. > > How to does one continue ? > > CU > > Michael > > Am 18.03.25 um 17:16 schrieb DSpace Technical Support: > > All, > > > > You may have already come across this, but Apache Tomcat has had a major > > RCE (Remove Code Execution) vulnerability (CVE-2025-24813) announced > > within the last week, and exploits are already occurring. > […] > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/10c94e72-d977-436a-bb78-2d97f878967cn%40googlegroups.com.
