Hi,
My application is currently using Apache Tomcat 9.0.120 on a RHEL 9.2.
We plan to utilize Apache Tomcat 9.1.x once it is released.

We are concerned about the timing of the 9.1.x release and if we will have 
enough time to migrate/upgrade our application to using 9.1 before 9.0.x is 
officially EOL - which we see on Apache's website states that 9.0 EOL is no 
earlier than March 31st 2027.

I understand that no release date has been provided for 9.1, but can you 
provide guidance as to how long of a window or timeline software vendors like 
us will have to migrate our applications before 9.0 is EOL?  The issue is 
security vulnerabilities.

For example, we get notification from Apache on March 20th 2027 for a 9.0.x 
release - which is presumably the last 9.0 release before it is EOL on March 
31st 2027.  We then get a notification from Apache on March 27th for the 9.1.x 
release.  This gives us three days to migrate, test, and deliver our software 
to our customer base, and it gives them very little time to upgrade so that 
they are covered in terms of security vulnerabilities.  Our customer's security 
teams are stating that at midnight, March 31st, if Apache Tomcat is not 
upgraded to 9.1, then the company will have to shut the application/system down 
to avoid being vulnerable.

Any guidance on how much time will be given from the time Tomcat 9.1 is 
released to the time 9.0 is EOL would be appreciated.
Thank you,
Lisa Sayre

Reply via email to