It wasn't a security update that bumped 8.5.30 to 8.5.39, I believe it was an SRU for openjdk compatibility.
The issue with bumping from .39 to .61, is the same issue will come up as described in the CVE tracker, namely: "One of the upstream fixes for this issue renames the requiredSecret parameter to secret and adds a secretRequired parameter that defaults to “true”. Adding this change to stable releases will result in servers failing to start until the administrator either changes secretRequired to “false”, or configures an adequate secret. Apache starting supporting a secret in mod_proxy_ajp starting with 2.4.42, which means to enable a secret we will have to issue Apache updates with the backported secret support." So if an installation was vulnerable to CVE-2020-1938, the update would break it, and they would then need to disable the security fix, or use an updated version of Apache. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1938 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1865904 Title: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1865904/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
