Re: Upgrading embedded Tomcat instance

Tue, 29 Oct 2024 09:13:50 -0700 

On 29.10.24 01:49, Tellis, Wyatt wrote:

Hi Michael,

I agree that the embedded instance isn't usually web-facing, but our info-sec 
team scans all systems to reduce the feasibility of lateral movement attacks.


right - what I thought.



As for the dev version, it looks like it addresses the Tomcat vulnerabilities.  
Will this be in the next release?


PR #7919 is targeting NetBeans 25 right now.

best regards,

michael




Thanks,

Wyatt

-----Original Message-----
From: Michael Bien <mbie...@gmail.com>
Sent: Monday, October 28, 2024 12:40 PM
To: Tellis, Wyatt <wyatt.tel...@ucsf.edu>; 'users@netbeans.apache.org' 
<users@netbeans.apache.org>
Subject: Re: Upgrading embedded Tomcat instance

!-------------------------------------------------------------------|
   This Message Is From an External Sender
   This message came from outside your organization.
|-------------------------------------------------------------------!

Hi Wyatt,

the embedded tomcat instance is used to preview generated javadoc and
similar usecases. Since it isn't facing the web, the typical CVEs often
don't apply there. Are you worried about something in particular?

The embedded instance is a regular NetBeans dependency which can't be
updated in a supported way once NB is built. But updating lib wrapper
modules is often fairly easy:
https://urldefense.com/v3/__https://github.com/apache/netbeans/pull/7919/files__;!!LQC6Cpwp!pU752xIzlRlcu9MEtOWg8XFp8p1WfLRaFOuIqInrI3MbkXqSniERTeH0OGujZZj8AtWKZgBE0cyFH8C6Mgc$

what does your scanner say about this build?
https://urldefense.com/v3/__https://github.com/apache/netbeans/actions/runs/11561261789/artifacts/2114223969__;!!LQC6Cpwp!pU752xIzlRlcu9MEtOWg8XFp8p1WfLRaFOuIqInrI3MbkXqSniERTeH0OGujZZj8AtWKZgBE0cyFbF4dakE$
(7 days expiration, requires github account to download)

best regards,
michael


On 28.10.24 18:56, Tellis, Wyatt wrote:

Hi,

I’m using NB23 and our security scanners have flagged it for running
Tomcat 9.0.71, which contains numerous vulnerabilities:
https://urldefense.com/v3/__https://tomcat.apache.org/security-9.html__;!!LQC6Cpwp!pU752xIzlRlcu9MEtOWg8XFp8p1WfLRaFOuIqInrI3MbkXqSniERTeH0OGujZZj8AtWKZgBE0cyF_tGK5Nk$

Is there a way to update the embedded version of Tomcat?

Thanks,

Wyatt



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org
For additional commands, e-mail: users-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org
For additional commands, e-mail: users-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Reply via email to