THALES GROUP LIMITED DISTRIBUTION to email recipients
Hello Richard,
I performed a vulnerabilities scan using NexusIQ, the result are:
- CVE-2022-45143 (CVSS 3 scoring 7.5) on tomcat-catalina : 10.0.27
- CVE-2023-24998 (CVSS 3 scoring 7.5) on tomcat-coyote : 10.0.27
Some of our customers won't accept that ☹
BTW I also scan Tomcat 10.1.15 with the same tool and I don't have anymore such
CVSS 3 score.
So will you start TomEE 10.x at some point ?
Best Regards.
-----Original Message-----
From: Richard Zowalla <r...@apache.org>
Sent: lundi 13 novembre 2023 12:53
To: users@tomee.apache.org
Subject: Re: TomEE 9.x relies on Tomcat 10.0.27 but this one is quite old ...
Hi,
the TomEE 10.0.27 contained in TomEE 9.1.x is patched inside the TomEE build to
fix the latest CVEs. We did not backport bug fixes, though.
As TomEE 9 targets EE9(.1), we cannot upgrade to Tomcat 10.1.x, which is EE10.
So from a spec perspective, there is currently no plan to migrate TomEE 9.x to
Tomcat 10.1.x (without breaking the tck).
Gruß
Richard
Am Montag, dem 13.11.2023 um 11:30 +0000 schrieb COURTAULT Francois:
> THALES GROUP LIMITED DISTRIBUTION to email recipients
>
> Hello everyone,
>
> According to this link
> https://tomcat.apache.org/tomcat-10.0-eol.html Tomcat 10.0.x is EOL,
> right?
> But TomEE 9.1.1 still rely on Tomcat 10.0.x.
>
> Any plan to migrate TomEE 9.x to Tomcat 10.1.x ?
>
> Best Regards.
>
>
>
