@Troels, you will need to first backport the fixes of the CVEs that you want to fix to the current jammy version, add a new changelog entry and build it. The build will generate the debdiff file you will send to us. For more information check the link that Marc shared before: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures
You might ask why backport the fixes and not update tomcat9 to the latest version, and the reason for that is stability and ABI. The preferred method for security fixing packages is through backporting patches, rather than doing version updates. Do note that some (I believe two from what I quickly checked) of the CVEs you mentioned are already fixed through Ubuntu Pro, but if you want to land it in the archive you will need to backport those as well. Whenever you send us a debdiff, we will gladly review and sponsor it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2047933 Title: Fix for CVE-2023-46589 in Jammy's tomcat9 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/2047933/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
