Hi, I was also wondering about this outdated tomcat.
I was trying to move to tomee 9.1, but I realized that we depend on some tomcat features that are not present on tomcat 10.x. So I guess we have to move from tomee 8 all the way to tomee 10. So, also checking on 10.x branch, I see that it depends on eclipselink 3.0.3, but I guess that this is temporal and it will be upgraded to eclipselink 4.x, since this is the version compatible with jakarta 10 This jakarta migration seems like a huge and risky task, every time I try to attempt it I find new obstacles (this is not criticism of course, just saying). On Mon, Nov 13, 2023 at 4:00 PM Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > I will check on the state of these CVEs with respect to the backports, and > reply on this thread. > > One comment I'll make though, is that NexusIQ (I also use it) will > potentially still identify the jars as Tomcat 10.0.27, and therefore may > still identify them as vulnerable (incorrectly), despite a patch being > applied. > > While I understand the frustration that may cause both yourself and your > customers, please understand that both Tomcat and TomEE are community > projects, and everyone contributing is doing so as a volunteer. > > Richard has already outlined why we can't move to Tomcat 10.1.x on TomEE > 9.x. TomEE 10.x is in progress. Any contributions you wanted to make would > be most welcome. > > Jon > > On Mon, Nov 13, 2023 at 1:29 PM COURTAULT Francois > <francois.courta...@thalesgroup.com.invalid> wrote: > > > THALES GROUP LIMITED DISTRIBUTION to email recipients > > > > Hello Richard, > > > > I performed a vulnerabilities scan using NexusIQ, the result are: > > - CVE-2022-45143 (CVSS 3 scoring 7.5) on tomcat-catalina : 10.0.27 > > - CVE-2023-24998 (CVSS 3 scoring 7.5) on tomcat-coyote : 10.0.27 > > > > Some of our customers won't accept that ☹ > > > > BTW I also scan Tomcat 10.1.15 with the same tool and I don't have > anymore > > such CVSS 3 score. > > So will you start TomEE 10.x at some point ? > > > > Best Regards. > > > > -----Original Message----- > > From: Richard Zowalla <r...@apache.org> > > Sent: lundi 13 novembre 2023 12:53 > > To: users@tomee.apache.org > > Subject: Re: TomEE 9.x relies on Tomcat 10.0.27 but this one is quite old > > ... > > > > Hi, > > > > the TomEE 10.0.27 contained in TomEE 9.1.x is patched inside the TomEE > > build to fix the latest CVEs. We did not backport bug fixes, though. > > > > As TomEE 9 targets EE9(.1), we cannot upgrade to Tomcat 10.1.x, which is > > EE10. So from a spec perspective, there is currently no plan to migrate > > TomEE 9.x to Tomcat 10.1.x (without breaking the tck). > > > > Gruß > > Richard > > > > > > Am Montag, dem 13.11.2023 um 11:30 +0000 schrieb COURTAULT Francois: > > > THALES GROUP LIMITED DISTRIBUTION to email recipients > > > > > > Hello everyone, > > > > > > According to this link > > > https://tomcat.apache.org/tomcat-10.0-eol.html Tomcat 10.0.x is EOL, > > > right? > > > But TomEE 9.1.1 still rely on Tomcat 10.0.x. > > > > > > Any plan to migrate TomEE 9.x to Tomcat 10.1.x ? > > > > > > Best Regards. > > > > > > > > > > > >
