Re: Apache Tomcat 8.5.82 Release Date

[Christopher Schultz]

Wai Siang,

On 7/26/22 00:13, Wai Siang, Chu wrote:

Based on the previous email reply,
may we have an update regarding the estimated release date for the *Apache
Tomcat 8.5.82* ?


I expect to begin the release process around 1 August (6 days from today).

Please note that upgrading to Tomcat 8.5.82 once it is available should 
not provide any actual security protections in a production environment. 
If you have deployed the "examples" web application into production then 
you are already making a mistake, security-wise. Simply removing the 
application entirely mitigates the threat.


-chris


On Wed, Jul 13, 2022 at 6:00 PM Mark Thomas  wrote:


On 13/07/2022 10:46, Wai Siang, Chu wrote:

Dear Apache Tomcat Team,

We are aware there is a vulnerability found in the latest 8.5.xx version.

*Low: Apache Tomcat XSS in examples web application* CVE-2022-34305


Hence, may we check is there an estimated timeline for the *Apache Tomcat
8.5.82* release date?


Why?

Have you reviewed the vulnerability? It is a XSS in the examples app.
The examples app should never be deployed in a production environment.
Hence this vulnerability should be a non-issue for (nearly?) all users.

Like all currently supported Tomcat versions, 8.5.x is released on a
roughly monthly cycle. The July release for 8.5.x hasn't started yet so
I'd expect the release later this month.

If you want to follow release planning more closely, then that is
discussed on the dev list.

Mark





Thank you.

Regards,
Wai Siang

D: -
M: (65) 9821 0409
T: (65) 6837 2822
F: (65) 6756 3839
E : waisi...@toppanecquaria.com

11 Toa Payoh Lorong 3
#02-31 Block C, Jackson Square
Singapore 319579

Toppan Ecquaria Pte. Ltd.
Company Registration No: 199806305H

www.toppanecquaria.com

https://www.linkedin.com/company/toppan-ecquaria/




STRICTLY CONFIDENTIAL - This message, its contents and any files
transmitted with it are intended SOLELY for the addressee(s) and may be
legally privileged and/or confidential. Access by any other party is
unauthorised without the expressed written permission of the sender. If

you

have received this message in error, you may not copy or use the

contents,

attachments or information in any way. Please destroy it and contact us
immediately via e-mail return or by telephone at (65) 68372822. This
message has been prepared using information believed by the author to be
reliable and accurate, but Toppan Ecquaria Pte. Ltd. and the Toppan Group
of Companies ("Toppan") makes no warranty as to its accuracy or
completeness. Toppan does not accept responsibility for changes made to
this message after it was sent.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[ANN] Apache Tomcat 10.0.23 available

[Mark Thomas]

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.0.23.

This release is targeted at Jakarta EE 9.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. This conversion is performed using the Apache Tomcat 
migration tool for Jakarta EE tool which is also available as a separate 
download for off-line use.


Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specifications.

The notable changes compared to 10.0.22 include:

- Implement support for repeatable builds

- Update the packaged version of the Tomcat Native Library to 1.2.35.
  This includes Windows binaries built with with OpenSSL 1.1.1q.

- Fix CVE-2022-34305, a low severity XSS vulnerability in the Form
  authentication example

Please refer to the change log for the complete list of changes:
http://tomcat.apache.org/tomcat-10.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-10.cgi

Migration guides from Apache Tomcat 7.0.x, 8.5.x and 9.0.x:
http://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org