To clarify a bit more: Feel free to provide a PR backporting the required changes (may also be relevant for bouncycastle). We have recently updated our download page and now explicitly state:
"SECURITY NOTICE: This software is developed and maintained by unpaid volunteers who donate time as they have it. There is no guarantee security vulnerabilities will be fixed on any timeline or at all." In addition, there is the option to contact the vendors listed in [1] if enterprise-level support is required, or to support the active community in the ways already discussed on this list. [1] https://tomee.apache.org/community/commercial.html On 2024/07/09 08:21:12 Richard Zowalla wrote: > Hello, > > most likely yes (haven't checked in detail). > > Personally, I'm not going to port anything back to TomEE 9.x as I'm currently > focused on 10.x work. However, I am available to review any community driven > patches/initiatives via PRs targeting tomee-9.x branch. > > Best regards > Richard > > On 2024/07/09 08:10:59 COURTAULT Francois wrote: > > THALES GROUP LIMITED DISTRIBUTION to email recipients > > > > Hello everyone, > > > > TomEE 9.1.3 is based on Tomcat 10.0.27. > > So the question is: Is TomEE 9.1.3 vulnerable to this CVE ? > > If the answer is yes, will you provide a fix for Tomcat 10.0.27 which is > > not maintained anymore ? and so will you release a new TomEE 9.x version ? > > > > This CVE has been fixed by Tomcat 9.0.90+ and 10.1.25+. > > > > Best Regards. > > > > > > > > >
