[ https://issues.apache.org/jira/browse/OFBIZ-12165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Michael Brohl reopened OFBIZ-12165: ----------------------------------- I think this should be backported to at least r18.12 because of the reported CVE reports, see [https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43] . > Upgrade Tomcat from 9.0.41 to 9.0.43 > ------------------------------------ > > Key: OFBIZ-12165 > URL: https://issues.apache.org/jira/browse/OFBIZ-12165 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Trunk > Reporter: Michael Brohl > Assignee: Michael Brohl > Priority: Minor > Fix For: Upcoming Branch > > > The Apache Tomcat team announces the immediate availability of Apache > Tomcat 9.0.43. > Apache Tomcat 9 is an open source software implementation of the Java > Servlet, JavaServer Pages, Java Unified Expression Language, Java > WebSocket and JASPIC technologies. > Apache Tomcat 9.0.43 is a bugfix and feature release. The notable > changes compared to 9.0.41 include: > - Add support for using Unix domain sockets for NIO when running on Java > 16 or later. > - Add a new StringInterpreter interface that allows applications to > provide customised string attribute value to type conversion within > JSPs. This allows applications to provide a conversion implementation > that is optimised for the application. > - Add peerAddress to coyote request, which contains the IP address of > the direct connection peer. If a reverse proxy sits in front of Tomcat > and the RemoteIp(Valve|Filter) is used, the peerAddress is likely to > differ from the remoteAddress. The remoteAddress is likely to contain > the address of the client in front of the reverse proxy, not the > address of the proxy itself. > Please refer to the change log for the complete list of changes: > [http://tomcat.apache.org/tomcat-9.0-doc/changelog.html] > -- This message was sent by Atlassian Jira (v8.3.4#803005)