Thomas,
On 6/18/21 14:36, tomcat-li...@thomas.freit.ag wrote:
> [snip]
>
I would only stick to the distro-provided packages, if it is a small
(in other words not that important) application running in Tomcat. Just
for reference: With Ubuntu 18.04, you would end up
with 9.0.16 vs. 9.0.48 (Tomcat project) or 8.5.39 vs. 8.5.68 (Tomcat
project), which is about 2 years old software.
The above statement is *very* misleading.
To understand why it's misleading, you have to understand the Debian
"way" of package-management. Ubuntu is Debian-derived and, although they
have their own package repositories, etc., they do inherit from upstream
and do make some changes on their own separate from upstream.
But the Debian "way" is to pick a package version and stick with it as
long as possible, for stability's sake.
The Tomcat team releases new code including all kinds of things
(security fixes, bug fixes, new features, etc.) together at once and
give it a new version number. It happens ~ once per month these days for
the active branches (10/9/8.5).
That 9.0.16 version you quote above is the "base version" you are
getting. It doesn't mean it's the same bits that were made available for
download starting on 2019-04-13. Both the Debian and the Ubuntu team
apply updates to the apache-tomcat-9 package so that although it says
9.0.16, you are really getting their version tomcat9_9.0.16-4~bpo9+1_all
(well, that's what Debian says; I don't have Ubuntu handy).
All that junk at the end (-4~bpo9+1_all) indicates the various updates
that have been applied after the original 9.0.16. If you read the
changelog[1] for Buster, you'll see that it was last updated as recently
as 2021-04-12 to apply fixes for CVE-2021-25122 and CVE-2021-25329
(thanks, Emmanuel!). In fact, in Buster, you are getting 9.0.31. I'll
bet if you look at the Ubuntu changelog for your package, you'll find
something similar.
If you are getting 9.0.16 from your Ubuntu repository, I think you may
be getting "left behind" by something. The current Ubuntu package should
actually be a base version of 9.0.43. Older versions of Ubuntu have
older base Tomcat versions.
For any errors you might get on distro packages, first hint would
most likely be to update to a recent Tomcat version. Even if security
fixed are backported by the distro, you would end up with versions
missing a lot of fixes and improvements.
Again, distros like Debian focus on stability, so only security fixes.
You can also subscribe to the "backports" channels as well which can
sometimes get you more up-to-date packages if you'd like something more
current.
-chris
[1]
https://metadata.ftp-master.debian.org/changelogs//main/t/tomcat9/tomcat9_9.0.31-1~deb10u4_changelog
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
