Hi all, We've started to use software from dependency tracker dot com to analyse dependencies in our web applications and it highlighted the following:
"The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError." My question would be whether it is sufficient to update the application .war file to use, for example, version 9.0.56 of tomcat-servlet-api and related libraries or do we also have to deploy with Tomcat 9.0.54+? I'm guessing that updating the .war file would remedy the application memory leak and updating the deployment version would remedy the memory leak in the Tomcat service itself - but I don't like to leave this to guesswork. We've had reports of memory leaks causing problems. Thank you, Tim -- Tim Scott OCLC * Senior Software Engineer / Technical Product Manager CityGate, 8 St. Mary's Gate, Sheffield S1 4LW, UK cc: IT file OCLC COVID-19 resources: oc.lc/covid19-service-info<https://oc.lc/covid19-service-info>
