** Description changed: ========================================= This is an SRU for Apache Tomcat packages ========================================= This SRU targets the Apache Tomcat packages tomcat9, tomcat10, tomcat11 and tomcat-native, and coordinates the transition from libtcnative-1 to libtcnative-2, the restoration of server packages for tomcat10 and also addresses various CVEs fixed in their upstream Debian releases. [ Impact ] By backporting the latest releases of tomcat9, tomcat10, tomcat11 and tomcat-native downward to Noble, this will improve the security of the Java toolchain in Ubuntu. In doing so, the following CVEs will be addressed: - https://nvd.nist.gov/vuln/detail/CVE-2024-24549 - https://nvd.nist.gov/vuln/detail/CVE-2024-23672 - https://nvd.nist.gov/vuln/detail/CVE-2025-61795 - https://nvd.nist.gov/vuln/detail/CVE-2025-48989 - https://nvd.nist.gov/vuln/detail/CVE-2026-24734 - https://nvd.nist.gov/vuln/detail/CVE-2026-41284 - https://nvd.nist.gov/vuln/detail/CVE-2026-41293 - https://nvd.nist.gov/vuln/detail/CVE-2026-42498 - https://nvd.nist.gov/vuln/detail/CVE-2026-43512 - https://nvd.nist.gov/vuln/detail/CVE-2026-43513 - https://nvd.nist.gov/vuln/detail/CVE-2026-43514 - https://nvd.nist.gov/vuln/detail/CVE-2026-43515 It is crucial that these backports are done together, as tomcat-native is a direct build/recommends dependency of tomcat9, tomcat10 and tomcat11 and was renamed from libtcnative-1 to libtcnative-2 in upstream releases. Additionally by backporting these packages, this SRU also restores server packages for tomcat10, which were dropped since v10.1.52-2. yet are invaluable for developers still using these features. The current tomcat-native version (1.3.1-1) in Questing and Resolute is incompatible with the current tomcat11 package in the archive. In updating both of these packages, it will fix this regression. [ Test Plan ] All packages implement testing at build-time, whilst tomcat10 and tomcat11 now make these and other smoke tests available through autopkgtest to ensure tomcat-native compatibility. Each of these packages are self-contained and have no reverse dependencies, and as such their build-time and/or autopkgtest results should be sufficient. For tomcat10 and tomcat11 which produce server packages, these can be simply tested by confirming that they are running after installation: # Launch lxd vm for testing: lxc launch ubuntu-daily:resolute test && lxc exec test bash # Prepare the PPA for testing: add-apt-repository ppa:rroessler/sru-tomcat-backports apt update # Install version that has server packages: apt install tomcat11 # or apt install tomcat10 # Check that the server is accessible: curl -fsS http://localhost:8080 # Check to see if libtcnative-2 loaded successfully: journalctl -u tomcat10 | grep “Loaded Apache Tomcat Native library” # or journalctl -u tomcat11 | grep “Loaded Apache Tomcat Native library” # Co-installing both tomcat10 and tomcat11 # 1. Start by installing both packages apt install tomcat10 tomcat11 # 2. Change default port within /var/lib/tomcat11/conf/server.xml (or # tomcat10) by replacing ‘port=”8080”’ in the following statement: # <Connector port=”8080” protocol=”HTTP/1.1” # connectionTimeout=”20000” # redirectPort=”8443” # maxParameterCount=”1000” # /> # 3. Restart the service that was changed systemctl restart tomcat11 # 4. Confirm both servers are now accessible curl -fsS http://localhost:8080 # for first service (default port value) curl -fsS http://localhost:8081 # for second service (other port value) [ Potential Problems ] The update of tomcat-native from v1.3.1-1 to v2.0.14-1 provides beneficial updates (security and performance), with little risk to regression as it is now the stable version for upstream Debian. Since all the packages to be backported require tomcat-native as a build-dependency, all of them must be migrated/released together. These updates may impact users currently running versions of Tomcat, as they will need to restart the service after upgrading. For the backports to Noble, we need to relax compiler requirements due to a missing build dependency of the libeclipse-jdt-core-compiler-batch- java binary package. This can be simply done by removing this dependency, but may result in subtle behavioural differences or performance regressions. For example, there could be a missing library or language feature because of the downgrade in compiler, however this would ultimately be caught at build-time. In Noble, tomcat11 is also a new package that can be co-installed alongside tomcat10. This is the same functionality that is currently seen in the archive for Resolute and Questing and the co-installation test above would show any failures here. Since the transitioning from libtcnative-1 to libtcnative-2 is effectively a name-change, the previous version is not superseded. - Internally, tomcat9, tomcat10 and tomcat11 counter this by dynamically - loading libtcnative-2, or falling back to libtcnative-1, or running with + Internally, tomcat10 and tomcat11 counter this by dynamically loading + libtcnative-2, or falling back to libtcnative-1, or running with neither. + + tomcat9 does not provide server packages that load tomcat-native to + improve performance. It is not functionally affected by tomcat-native + transition. The tomcat9 uploads are only needed to remove the build + dependency on libtcnative-1. [ Other Info ] PPA: https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat- backports Diffs (tomcat9): - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat9_9.0.70-2_9.0.118-1~24.04.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat9_9.0.95-1ubuntu1_9.0.118-1~25.10.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat9_9.0.115-1_9.0.118-1~26.04.1.diff.gz Diffs (tomcat10): - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat10_10.1.16-1_10.1.55-1ubuntu2~24.04.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat10_10.1.40-1ubuntu1_10.1.55-1ubuntu2~25.10.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat10_10.1.40-1ubuntu1_10.1.55-1ubuntu2~26.04.1.diff.gz Diffs (tomcat11): - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat11_11.0.22-2ubuntu2_11.0.22-2ubuntu2~24.04.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat11_11.0.6-1_11.0.22-2ubuntu2~25.10.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat11_11.0.18-1_11.0.22-2ubuntu2~26.04.1.diff.gz Diffs (tomcat-native): - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat-native_1.2.35-1build2_2.0.14-1~24.04.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat-native_1.3.1-1_2.0.14-1~25.10.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat-native_1.3.1-1build1_2.0.14-1~26.04.1.diff.gz
** Description changed: ========================================= This is an SRU for Apache Tomcat packages ========================================= This SRU targets the Apache Tomcat packages tomcat9, tomcat10, tomcat11 and tomcat-native, and coordinates the transition from libtcnative-1 to libtcnative-2, the restoration of server packages for tomcat10 and also addresses various CVEs fixed in their upstream Debian releases. [ Impact ] By backporting the latest releases of tomcat9, tomcat10, tomcat11 and tomcat-native downward to Noble, this will improve the security of the Java toolchain in Ubuntu. In doing so, the following CVEs will be addressed: - https://nvd.nist.gov/vuln/detail/CVE-2024-24549 - https://nvd.nist.gov/vuln/detail/CVE-2024-23672 - https://nvd.nist.gov/vuln/detail/CVE-2025-61795 - https://nvd.nist.gov/vuln/detail/CVE-2025-48989 - https://nvd.nist.gov/vuln/detail/CVE-2026-24734 - https://nvd.nist.gov/vuln/detail/CVE-2026-41284 - https://nvd.nist.gov/vuln/detail/CVE-2026-41293 - https://nvd.nist.gov/vuln/detail/CVE-2026-42498 - https://nvd.nist.gov/vuln/detail/CVE-2026-43512 - https://nvd.nist.gov/vuln/detail/CVE-2026-43513 - https://nvd.nist.gov/vuln/detail/CVE-2026-43514 - https://nvd.nist.gov/vuln/detail/CVE-2026-43515 It is crucial that these backports are done together, as tomcat-native is a direct build/recommends dependency of tomcat9, tomcat10 and tomcat11 and was renamed from libtcnative-1 to libtcnative-2 in upstream releases. Additionally by backporting these packages, this SRU also restores server packages for tomcat10, which were dropped since v10.1.52-2. yet are invaluable for developers still using these features. The current tomcat-native version (1.3.1-1) in Questing and Resolute is incompatible with the current tomcat11 package in the archive. In updating both of these packages, it will fix this regression. [ Test Plan ] All packages implement testing at build-time, whilst tomcat10 and tomcat11 now make these and other smoke tests available through autopkgtest to ensure tomcat-native compatibility. Each of these packages are self-contained and have no reverse dependencies, and as such their build-time and/or autopkgtest results should be sufficient. For tomcat10 and tomcat11 which produce server packages, these can be simply tested by confirming that they are running after installation: # Launch lxd vm for testing: lxc launch ubuntu-daily:resolute test && lxc exec test bash # Prepare the PPA for testing: add-apt-repository ppa:rroessler/sru-tomcat-backports apt update # Install version that has server packages: apt install tomcat11 # or apt install tomcat10 # Check that the server is accessible: curl -fsS http://localhost:8080 # Check to see if libtcnative-2 loaded successfully: journalctl -u tomcat10 | grep “Loaded Apache Tomcat Native library” # or journalctl -u tomcat11 | grep “Loaded Apache Tomcat Native library” # Co-installing both tomcat10 and tomcat11 # 1. Start by installing both packages apt install tomcat10 tomcat11 # 2. Change default port within /var/lib/tomcat11/conf/server.xml (or # tomcat10) by replacing ‘port=”8080”’ in the following statement: # <Connector port=”8080” protocol=”HTTP/1.1” # connectionTimeout=”20000” # redirectPort=”8443” # maxParameterCount=”1000” # /> # 3. Restart the service that was changed systemctl restart tomcat11 # 4. Confirm both servers are now accessible curl -fsS http://localhost:8080 # for first service (default port value) curl -fsS http://localhost:8081 # for second service (other port value) [ Potential Problems ] The update of tomcat-native from v1.3.1-1 to v2.0.14-1 provides beneficial updates (security and performance), with little risk to regression as it is now the stable version for upstream Debian. Since all the packages to be backported require tomcat-native as a build-dependency, all of them must be migrated/released together. These updates may impact users currently running versions of Tomcat, as they will need to restart the service after upgrading. For the backports to Noble, we need to relax compiler requirements due to a missing build dependency of the libeclipse-jdt-core-compiler-batch- java binary package. This can be simply done by removing this dependency, but may result in subtle behavioural differences or performance regressions. For example, there could be a missing library or language feature because of the downgrade in compiler, however this would ultimately be caught at build-time. In Noble, tomcat11 is also a new package that can be co-installed alongside tomcat10. This is the same functionality that is currently seen in the archive for Resolute and Questing and the co-installation test above would show any failures here. Since the transitioning from libtcnative-1 to libtcnative-2 is effectively a name-change, the previous version is not superseded. Internally, tomcat10 and tomcat11 counter this by dynamically loading libtcnative-2, or falling back to libtcnative-1, or running with neither. tomcat9 does not provide server packages that load tomcat-native to improve performance. It is not functionally affected by tomcat-native transition. The tomcat9 uploads are only needed to remove the build - dependency on libtcnative-1. + dependency on libtcnative-1[1]. + + [1] https://salsa.debian.org/java- + team/tomcat9/-/commit/8e68aef5dfff306a49f111093e71690486cb2d0e [ Other Info ] PPA: https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat- backports Diffs (tomcat9): - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat9_9.0.70-2_9.0.118-1~24.04.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat9_9.0.95-1ubuntu1_9.0.118-1~25.10.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat9_9.0.115-1_9.0.118-1~26.04.1.diff.gz Diffs (tomcat10): - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat10_10.1.16-1_10.1.55-1ubuntu2~24.04.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat10_10.1.40-1ubuntu1_10.1.55-1ubuntu2~25.10.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat10_10.1.40-1ubuntu1_10.1.55-1ubuntu2~26.04.1.diff.gz Diffs (tomcat11): - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat11_11.0.22-2ubuntu2_11.0.22-2ubuntu2~24.04.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat11_11.0.6-1_11.0.22-2ubuntu2~25.10.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat11_11.0.18-1_11.0.22-2ubuntu2~26.04.1.diff.gz Diffs (tomcat-native): - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat-native_1.2.35-1build2_2.0.14-1~24.04.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat-native_1.3.1-1_2.0.14-1~25.10.1.diff.gz - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat-native_1.3.1-1build1_2.0.14-1~26.04.1.diff.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2155817 Title: [SRU] Backport Tomcat to Noble, Questing, Resolute To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat-native/+bug/2155817/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
