THALES GROUP LIMITED DISTRIBUTION to email recipients Hello Jonathan
You wrote: " > One comment I'll make though, is that NexusIQ (I also use it) will > potentially still identify the jars as Tomcat 10.0.27, and therefore > may still identify them as vulnerable (incorrectly), despite a patch > being applied." I have checked the MANIFEST.MF file of the Tomcat and Catalina libraries inside TomEE 9.1.1 and all of them have Implementation-Version: 10.0.27.and sometimes Bundle-Version: 10.0.27. Best Regards. -----Original Message----- From: Vicente Rossello <cocorosse...@gmail.com> Sent: lundi 13 novembre 2023 16:16 To: users@tomee.apache.org Subject: Re: TomEE 9.x relies on Tomcat 10.0.27 but this one is quite old ... Hi, I was also wondering about this outdated tomcat. I was trying to move to tomee 9.1, but I realized that we depend on some tomcat features that are not present on tomcat 10.x. So I guess we have to move from tomee 8 all the way to tomee 10. So, also checking on 10.x branch, I see that it depends on eclipselink 3.0.3, but I guess that this is temporal and it will be upgraded to eclipselink 4.x, since this is the version compatible with jakarta 10 This jakarta migration seems like a huge and risky task, every time I try to attempt it I find new obstacles (this is not criticism of course, just saying). On Mon, Nov 13, 2023 at 4:00 PM Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > I will check on the state of these CVEs with respect to the backports, > and reply on this thread. > > One comment I'll make though, is that NexusIQ (I also use it) will > potentially still identify the jars as Tomcat 10.0.27, and therefore > may still identify them as vulnerable (incorrectly), despite a patch > being applied. > > While I understand the frustration that may cause both yourself and > your customers, please understand that both Tomcat and TomEE are > community projects, and everyone contributing is doing so as a volunteer. > > Richard has already outlined why we can't move to Tomcat 10.1.x on > TomEE 9.x. TomEE 10.x is in progress. Any contributions you wanted to > make would be most welcome. > > Jon > > On Mon, Nov 13, 2023 at 1:29 PM COURTAULT Francois > <francois.courta...@thalesgroup.com.invalid> wrote: > > > THALES GROUP LIMITED DISTRIBUTION to email recipients > > > > Hello Richard, > > > > I performed a vulnerabilities scan using NexusIQ, the result are: > > - CVE-2022-45143 (CVSS 3 scoring 7.5) on tomcat-catalina : 10.0.27 > > - CVE-2023-24998 (CVSS 3 scoring 7.5) on tomcat-coyote : 10.0.27 > > > > Some of our customers won't accept that ☹ > > > > BTW I also scan Tomcat 10.1.15 with the same tool and I don't have > anymore > > such CVSS 3 score. > > So will you start TomEE 10.x at some point ? > > > > Best Regards. > > > > -----Original Message----- > > From: Richard Zowalla <r...@apache.org> > > Sent: lundi 13 novembre 2023 12:53 > > To: users@tomee.apache.org > > Subject: Re: TomEE 9.x relies on Tomcat 10.0.27 but this one is > > quite old ... > > > > Hi, > > > > the TomEE 10.0.27 contained in TomEE 9.1.x is patched inside the > > TomEE build to fix the latest CVEs. We did not backport bug fixes, though. > > > > As TomEE 9 targets EE9(.1), we cannot upgrade to Tomcat 10.1.x, > > which is EE10. So from a spec perspective, there is currently no > > plan to migrate TomEE 9.x to Tomcat 10.1.x (without breaking the tck). > > > > Gruß > > Richard > > > > > > Am Montag, dem 13.11.2023 um 11:30 +0000 schrieb COURTAULT Francois: > > > THALES GROUP LIMITED DISTRIBUTION to email recipients > > > > > > Hello everyone, > > > > > > According to this link > > > https://tomcat.apache.org/tomcat-10.0-eol.html Tomcat 10.0.x is > > > EOL, right? > > > But TomEE 9.1.1 still rely on Tomcat 10.0.x. > > > > > > Any plan to migrate TomEE 9.x to Tomcat 10.1.x ? > > > > > > Best Regards. > > > > > > > > > > > >