Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to Tomcat 10.1.15 #37812

Closed
philwebb opened this issue Oct 10, 2023 · 6 comments
Closed

Upgrade to Tomcat 10.1.15 #37812

philwebb opened this issue Oct 10, 2023 · 6 comments
Labels
status: superseded An issue that has been superseded by another type: dependency-upgrade A dependency upgrade

Comments

@philwebb
Copy link
Member

philwebb commented Oct 10, 2023
edited
Loading

Needed for #37808
@philwebb philwebb added the type: dependency-upgrade A dependency upgrade label Oct 10, 2023
@philwebb philwebb added this to the 3.0.x milestone Oct 10, 2023
@philwebb
Copy link
Member Author

philwebb commented Oct 11, 2023
edited by wilkinsona
Loading

Looks like we might need to wait for 10.1.15 with this fix

@wilkinsona wilkinsona changed the title Upgrade to Tomcat 10.1.14 Upgrade to Tomcat 10.1.15 Oct 11, 2023
@wilkinsona wilkinsona added the status: blocked An issue that's blocked on an external project change label Oct 11, 2023
@bclozel bclozel mentioned this issue Oct 12, 2023
Closed
@ndrscodes
Copy link

ndrscodes commented Oct 12, 2023
edited
Loading

Just a reminder:

As already mentioned in #37845, The current tomcat version is vulnerable to CVE-2023-44487. The vulnerability is expoitable and currently awaiting analysis at NIST. It was rated as a high severity vulnerability with a score of 7.5 by Snyk.

Once the fix is in place, i think this should be rolled out rather sooner than later :)

@grgrzybek
Copy link

grgrzybek commented Oct 13, 2023
edited
Loading

Just a reminder - you also need this fix related to gzip compression.

@philwebb hi - I didn't find a ticket for Spring Boot 2.7.x which uses Tomcat 9.0.80 affected by CVE-2023-44487.
Mind that there's the same situation - version 9.0.81 fixes this CVE, but breaks gzip encoding. 9.0.82 should be available soon (under ASF voting now).

@grgrzybek
Copy link

Tomcat 9.0.82 is already available. 10.1.15 should be in Maven Central soon I guess.

@wilkinsona
Copy link
Member

wilkinsona commented Oct 13, 2023
edited
Loading

Thanks for the info, but it isn't really necessary. Please rest assured that we're well aware of the situation with CVE-2023-44487 and we will be upgrading our various web server dependencies once the remaining releases are available.

In the hope that it minimises any further noise for those watching the repository, I am going to lock this issue.

The next Spring Boot releases will be on 19 October as planned. In the meantime, if your chosen web server has released a version that mitigates CVE-2023-44487, you can upgrade to it by overriding Spring Boot's dependency management.

@spring-projects spring-projects locked as resolved and limited conversation to collaborators Oct 13, 2023
@wilkinsona
Copy link
Member

Superseded by #37901.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Oct 16, 2023
@wilkinsona wilkinsona added status: superseded An issue that has been superseded by another and removed status: blocked An issue that's blocked on an external project change labels Oct 16, 2023
@wilkinsona wilkinsona removed this from the 3.0.x milestone Oct 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
status: superseded An issue that has been superseded by another type: dependency-upgrade A dependency upgrade
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@grgrzybek @philwebb @wilkinsona @ndrscodes