Hi, My application is currently using Apache Tomcat 9.0.120 on a RHEL 9.2. We plan to utilize Apache Tomcat 9.1.x once it is released.
We are concerned about the timing of the 9.1.x release and if we will have enough time to migrate/upgrade our application to using 9.1 before 9.0.x is officially EOL - which we see on Apache's website states that 9.0 EOL is no earlier than March 31st 2027. I understand that no release date has been provided for 9.1, but can you provide guidance as to how long of a window or timeline software vendors like us will have to migrate our applications before 9.0 is EOL? The issue is security vulnerabilities. For example, we get notification from Apache on March 20th 2027 for a 9.0.x release - which is presumably the last 9.0 release before it is EOL on March 31st 2027. We then get a notification from Apache on March 27th for the 9.1.x release. This gives us three days to migrate, test, and deliver our software to our customer base, and it gives them very little time to upgrade so that they are covered in terms of security vulnerabilities. Our customer's security teams are stating that at midnight, March 31st, if Apache Tomcat is not upgraded to 9.1, then the company will have to shut the application/system down to avoid being vulnerable. Any guidance on how much time will be given from the time Tomcat 9.1 is released to the time 9.0 is EOL would be appreciated. Thank you, Lisa Sayre
