The TomEE Patch Plugin doesn't rewrite the content of the manifest files ;-)
You could check the file hashes or the related classes, which required patching
Gruß
Richard
Am 13. November 2023 17:42:18 MEZ schrieb COURTAULT Francois
:
>THALES GROUP LIMITED DISTRIBUTION to email recipients
>
>He
THALES GROUP LIMITED DISTRIBUTION to email recipients
Hello Jonathan
You wrote:
" > One comment I'll make though, is that NexusIQ (I also use it) will
> potentially still identify the jars as Tomcat 10.0.27, and therefore
> may still identify them as vulnerable (incorrectly), despite a patch
Hi,
I was also wondering about this outdated tomcat.
I was trying to move to tomee 9.1, but I realized that we depend on some
tomcat features that are not present on tomcat 10.x.
So I guess we have to move from tomee 8 all the way to tomee 10. So, also
checking on 10.x branch, I see that it depe
I will check on the state of these CVEs with respect to the backports, and
reply on this thread.
One comment I'll make though, is that NexusIQ (I also use it) will
potentially still identify the jars as Tomcat 10.0.27, and therefore may
still identify them as vulnerable (incorrectly), despite a pa
THALES GROUP LIMITED DISTRIBUTION to email recipients
Hello Richard,
I performed a vulnerabilities scan using NexusIQ, the result are:
- CVE-2022-45143 (CVSS 3 scoring 7.5) on tomcat-catalina : 10.0.27
- CVE-2023-24998 (CVSS 3 scoring 7.5) on tomcat-coyote : 10.0.27
Some of our custome
Hi,
the TomEE 10.0.27 contained in TomEE 9.1.x is patched inside the TomEE
build to fix the latest CVEs. We did not backport bug fixes, though.
As TomEE 9 targets EE9(.1), we cannot upgrade to Tomcat 10.1.x, which
is EE10. So from a spec perspective, there is currently no plan to
migrate TomEE 9.
THALES GROUP LIMITED DISTRIBUTION to email recipients
Hello everyone,
According to this link https://tomcat.apache.org/tomcat-10.0-eol.html Tomcat
10.0.x is EOL, right?
But TomEE 9.1.1 still rely on Tomcat 10.0.x.
Any plan to migrate TomEE 9.x to Tomcat 10.1.x ?
Best Regards.