Hi Michael, I agree that the embedded instance isn't usually web-facing, but our info-sec team scans all systems to reduce the feasibility of lateral movement attacks.
As for the dev version, it looks like it addresses the Tomcat vulnerabilities. Will this be in the next release? Thanks, Wyatt -----Original Message----- From: Michael Bien <mbie...@gmail.com> Sent: Monday, October 28, 2024 12:40 PM To: Tellis, Wyatt <wyatt.tel...@ucsf.edu>; 'users@netbeans.apache.org' <users@netbeans.apache.org> Subject: Re: Upgrading embedded Tomcat instance !-------------------------------------------------------------------| This Message Is From an External Sender This message came from outside your organization. |-------------------------------------------------------------------! Hi Wyatt, the embedded tomcat instance is used to preview generated javadoc and similar usecases. Since it isn't facing the web, the typical CVEs often don't apply there. Are you worried about something in particular? The embedded instance is a regular NetBeans dependency which can't be updated in a supported way once NB is built. But updating lib wrapper modules is often fairly easy: https://urldefense.com/v3/__https://github.com/apache/netbeans/pull/7919/files__;!!LQC6Cpwp!pU752xIzlRlcu9MEtOWg8XFp8p1WfLRaFOuIqInrI3MbkXqSniERTeH0OGujZZj8AtWKZgBE0cyFH8C6Mgc$ what does your scanner say about this build? https://urldefense.com/v3/__https://github.com/apache/netbeans/actions/runs/11561261789/artifacts/2114223969__;!!LQC6Cpwp!pU752xIzlRlcu9MEtOWg8XFp8p1WfLRaFOuIqInrI3MbkXqSniERTeH0OGujZZj8AtWKZgBE0cyFbF4dakE$ (7 days expiration, requires github account to download) best regards, michael On 28.10.24 18:56, Tellis, Wyatt wrote: > > Hi, > > I’m using NB23 and our security scanners have flagged it for running > Tomcat 9.0.71, which contains numerous vulnerabilities: > https://urldefense.com/v3/__https://tomcat.apache.org/security-9.html__;!!LQC6Cpwp!pU752xIzlRlcu9MEtOWg8XFp8p1WfLRaFOuIqInrI3MbkXqSniERTeH0OGujZZj8AtWKZgBE0cyF_tGK5Nk$ > > > Is there a way to update the embedded version of Tomcat? > > Thanks, > > Wyatt >
