Hello,

This is the link to the bug we are facing: 
https://bz.apache.org/bugzilla/show_bug.cgi?id=64195

Is it fixed in 9.0.31?

Thank you for your help.

Best,
Rhea

-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net> 
Sent: Friday, July 8, 2022 8:57 PM
To: users@tomcat.apache.org
Subject: Re: Package TOMCAT 9.0.54 for Ubuntu 20.04

Rhea,

On 7/8/22 05:53, Rhea Moubarak wrote:
> I asked Ubuntu-devel-discus if it's possible to integrate TOMCAT 9.0.54 in 
> the official repositories of Ubuntu 20.04 as it helps fixing major security 
> issues on TOMCAT installations.
> 
> (https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2022-July/0192
> 97.html)
> 
> 
> 
> They responded with the following:
> 
>>> Hi Rhea,
> 
>>> but gladly this isn't plain 9.0.31.
> 
>>> There was a similar bug request [1] which got resolved a while ago in [2] 
>>> and I think has solved all those security issues in the 9.0.31 version that 
>>> is in Focal.
> 
>>>
> 
>>> On the other side there is the SRU policy [3] which prevents too big 
>>> version jumps unless there is extra focus on stability and testing which 
>>> needs further effort and dedication which for tomcat9 being only in 
>>> universe isn't provided by anyone at the moment.
> 
>>>
> 
>>> [1]: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911
> 
>>> [2]: https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.2
> 
>>> [3]: https://wiki.ubuntu.com/StableReleaseUpdates
> 
> Is it possible from anyone from your side to help with the stability 
> and testing of the version 9.0.54 to satisfy the SRU policy of Ubuntu?

We are all volunteers. If you'd like to volunteer to assemble the information 
we'd need to fulfill such a "stability and testing" plan, we might be able to 
move forward.

The Debian and Ubuntu teams track this project and incorporate patches (which 
is how *those* projects work, not Apache Tomcat which releases new versions for 
security fixes) for security issues as appropriate.

Whatever is in 9.0.54 that you need might actually be available through the 
Ubuntu package repository under the package whose nominal version number 
appears to be "9.0.31". You should read the release notes of the package 
history to see what security items have been addressed in their latest version. 
You may find that apache-tomcat-9.0.31-ubuntu-rev48 (or
whatever) addresses all of the reported CVEs between 9.0.31 and 9.0.54 even if 
the version number hasn't changed.

If you have a security auditor who is looking at software version numbers 
instead of the effective security provided from the package, you may have to 
either switch auditors, or switch package managers/repositories to one which 
meets your auditors requirements.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to