Things are really getting bad with regards to Jammy's Tomcat 9. In addition to the CVE already mentioned, the following have subsequently piled up:
CVE-2025-31651 from 2025-04-28, fixed in 9.0.104: CVSS 5.3 or 9.8, depending on who rates it CVE-2025-24813 from 2025-03-10, fixed in 9.0.99: CVSS 8.6 or 10 , depending on who rates it CVE-2024-56337 from 2024-11-09, fixed in 9.0.98: CVSS 8.1 or 9.8, depending on who rates it CVE-2024-52316 from 2024-11-18, fixed in 9.0.96: CVSS 7.4 or 9.8, depending on who rates it CVE-2024-50379 from 2024-12-17, fixed in 9.0.98: CVSS 8.1 or 9.8, depending on who rates it CVE-2024-38286 from 2024-11-07, fixed in 9.0.90: CVSS 7.5 or 8.6, depending on who rates it Vulnerability scanners are increasingly flagging Ubuntu 22 as being very insecure, if running Tomcat 9. I have provided Tomcat 9.0.111 here: https://launchpad.net/~troels-w/+archive/ubuntu/tomcat-slipstream/+packages I've been running it in production for a while without issues. Can someone help me understanding what I need to contribute to Ubuntu 22 getting into a decent state with regards to tomcat9? Someone wrote I needed to provide a debdiff, but of which files, exactly? Is there a good, focused chat about Universe where I can get help trying to advance this? ** CVE added: https://cve.org/CVERecord?id=CVE-2024-38286 ** CVE added: https://cve.org/CVERecord?id=CVE-2024-50379 ** CVE added: https://cve.org/CVERecord?id=CVE-2024-52316 ** CVE added: https://cve.org/CVERecord?id=CVE-2024-56337 ** CVE added: https://cve.org/CVERecord?id=CVE-2025-24813 ** CVE added: https://cve.org/CVERecord?id=CVE-2025-31651 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2047933 Title: Fix for CVE-2023-46589 in Jammy's tomcat9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/2047933/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
