Hello, This is the link to the bug we are facing: https://bz.apache.org/bugzilla/show_bug.cgi?id=64195
Is it fixed in 9.0.31? Thank you for your help. Best, Rhea -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Friday, July 8, 2022 8:57 PM To: users@tomcat.apache.org Subject: Re: Package TOMCAT 9.0.54 for Ubuntu 20.04 Rhea, On 7/8/22 05:53, Rhea Moubarak wrote: > I asked Ubuntu-devel-discus if it's possible to integrate TOMCAT 9.0.54 in > the official repositories of Ubuntu 20.04 as it helps fixing major security > issues on TOMCAT installations. > > (https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2022-July/0192 > 97.html) > > > > They responded with the following: > >>> Hi Rhea, > >>> but gladly this isn't plain 9.0.31. > >>> There was a similar bug request [1] which got resolved a while ago in [2] >>> and I think has solved all those security issues in the 9.0.31 version that >>> is in Focal. > >>> > >>> On the other side there is the SRU policy [3] which prevents too big >>> version jumps unless there is extra focus on stability and testing which >>> needs further effort and dedication which for tomcat9 being only in >>> universe isn't provided by anyone at the moment. > >>> > >>> [1]: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911 > >>> [2]: https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.2 > >>> [3]: https://wiki.ubuntu.com/StableReleaseUpdates > > Is it possible from anyone from your side to help with the stability > and testing of the version 9.0.54 to satisfy the SRU policy of Ubuntu? We are all volunteers. If you'd like to volunteer to assemble the information we'd need to fulfill such a "stability and testing" plan, we might be able to move forward. The Debian and Ubuntu teams track this project and incorporate patches (which is how *those* projects work, not Apache Tomcat which releases new versions for security fixes) for security issues as appropriate. Whatever is in 9.0.54 that you need might actually be available through the Ubuntu package repository under the package whose nominal version number appears to be "9.0.31". You should read the release notes of the package history to see what security items have been addressed in their latest version. You may find that apache-tomcat-9.0.31-ubuntu-rev48 (or whatever) addresses all of the reported CVEs between 9.0.31 and 9.0.54 even if the version number hasn't changed. If you have a security auditor who is looking at software version numbers instead of the effective security provided from the package, you may have to either switch auditors, or switch package managers/repositories to one which meets your auditors requirements. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
