** Description changed: - TBD + ========================================= + This is an SRU for Apache Tomcat packages + ========================================= + + This SRU targets the Apache Tomcat packages tomcat9, tomcat10, tomcat11 + and tomcat-native, and coordinates the transition from libtcnative-1 to + libtcnative-2, the restoration of server packages for tomcat10 and also + addresses various CVEs fixed in their upstream Debian releases. + + [ Impact ] + + By backporting the latest releases of tomcat9, tomcat10, tomcat11 and + tomcat-native downward to Noble, this will improve the security of the + Java toolchain in Ubuntu. In doing so, the following CVEs will be + addressed: + + - https://nvd.nist.gov/vuln/detail/CVE-2024-24549 + - https://nvd.nist.gov/vuln/detail/CVE-2024-23672 + - https://nvd.nist.gov/vuln/detail/CVE-2025-61795 + - https://nvd.nist.gov/vuln/detail/CVE-2025-48989 + - https://nvd.nist.gov/vuln/detail/CVE-2026-24734 + - https://nvd.nist.gov/vuln/detail/CVE-2026-41284 + - https://nvd.nist.gov/vuln/detail/CVE-2026-41293 + - https://nvd.nist.gov/vuln/detail/CVE-2026-42498 + - https://nvd.nist.gov/vuln/detail/CVE-2026-43512 + - https://nvd.nist.gov/vuln/detail/CVE-2026-43513 + - https://nvd.nist.gov/vuln/detail/CVE-2026-43514 + - https://nvd.nist.gov/vuln/detail/CVE-2026-43515 + + It is crucial that these backports are done together, as tomcat-native + is a direct build/recommends dependency of tomcat9, tomcat10 and + tomcat11 and was renamed from libtcnative-1 to libtcnative-2 in upstream + releases. + + Additionally by backporting these packages, this SRU also restores + server packages for tomcat10, which were dropped since v10.1.52-2. yet + are invaluable for developers still using these features. + + The current tomcat-native version (1.3.1-1) in Questing and Resolute is + incompatible with the current tomcat11 package in the archive. In + updating both of these packages, it will fix this regression. + + [ Test Plan ] + + All packages implement testing at build-time, whilst tomcat10 and + tomcat11 now make these and other smoke tests available through + autopkgtest to ensure tomcat-native compatibility. + + Each of these packages are self-contained and have no reverse + dependencies, and as such their build-time and/or autopkgtest results + should be sufficient. + + For tomcat10 and tomcat11 which produce server packages, these can be + simply tested by confirming that they are running after installation: + + # Launch lxd vm for testing: + lxc launch ubuntu-daily:resolute test && lxc exec test bash + + # Prepare the PPA for testing: + add-apt-repository ppa:rroessler/sru-tomcat-backports + apt update + + # Install version that has server packages: + apt install tomcat11 # or apt install tomcat10 + + # Check that the server is accessible: + curl -fsS http://localhost:8080 + + # Check to see if libtcnative-2 loaded successfully: + journalctl -u tomcat10 | grep “Loaded Apache Tomcat Native library” # or + journalctl -u tomcat11 | grep “Loaded Apache Tomcat Native library” + + # Co-installing both tomcat10 and tomcat11 + # 1. Start by installing both packages + apt install tomcat10 tomcat11 + + # 2. Change default port within /var/lib/tomcat11/conf/server.xml (or + # tomcat10) by replacing ‘port=”8080”’ in the following statement: + # <Connector port=”8080” protocol=”HTTP/1.1” + # connectionTimeout=”20000” + # redirectPort=”8443” + # maxParameterCount=”1000” + # /> + + # 3. Restart the service that was changed + systemctl restart tomcat11 + + # 4. Confirm both servers are now accessible + curl -fsS http://localhost:8080 # for first service (default port value) + curl -fsS http://localhost:8081 # for second service (other port value) + + [ Potential Problems ] + + The update of tomcat-native from v1.3.1-1 to v2.0.14-1 provides + beneficial updates (security and performance), with little risk to + regression as it is now the stable version for upstream Debian. + + Since all the packages to be backported require tomcat-native as a + build-dependency, all of them must be migrated/released together. + + These updates may impact users currently running versions of Tomcat, as + they will need to restart the service after upgrading. + + For the backports to Noble, we need to relax compiler requirements due + to a missing build dependency of the libeclipse-jdt-core-compiler-batch- + java binary package. This can be simply done by removing this + dependency, but may result in subtle behavioural differences or + performance regressions. For example, there could be a missing library + or language feature because of the downgrade in compiler, however this + would ultimately be caught at build-time. + + In Noble, tomcat11 is also a new package that can be co-installed + alongside tomcat10. This is the same functionality that is currently + seen in the archive for Resolute and Questing and the co-installation + test above would show any failures here. + + Since the transitioning from libtcnative-1 to libtcnative-2 is + effectively a name-change, the previous version is not superseded. + Internally, tomcat9, tomcat10 and tomcat11 counter this by dynamically + loading libtcnative-2, or falling back to libtcnative-1, or running with + neither. + + [ Other Info ] + + PPA: https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat- + backports + + Diffs (tomcat9): + + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat9_9.0.70-2_9.0.118-1~24.04.1.diff.gz + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat9_9.0.95-1ubuntu1_9.0.118-1~25.10.1.diff.gz + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat9_9.0.115-1_9.0.118-1~26.04.1.diff.gz + + Diffs (tomcat10): + + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat10_10.1.16-1_10.1.55-1ubuntu2~24.04.1.diff.gz + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat10_10.1.40-1ubuntu1_10.1.55-1ubuntu2~25.10.1.diff.gz + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat10_10.1.40-1ubuntu1_10.1.55-1ubuntu2~26.04.1.diff.gz + + Diffs (tomcat11): + + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat11_11.0.22-2ubuntu2_11.0.22-2ubuntu2~24.04.1.diff.gz + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat11_11.0.6-1_11.0.22-2ubuntu2~25.10.1.diff.gz + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat11_11.0.18-1_11.0.22-2ubuntu2~26.04.1.diff.gz + + Diffs (tomcat-native): + + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat-native_1.2.35-1build2_2.0.14-1~24.04.1.diff.gz + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat-native_1.3.1-1_2.0.14-1~25.10.1.diff.gz + - https://launchpad.net/~rroessler/+archive/ubuntu/sru-tomcat-backports/+files/tomcat-native_1.3.1-1build1_2.0.14-1~26.04.1.diff.gz
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2155817 Title: Backport Tomcat to Noble, Questing, Resolute To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tomcat-native/+bug/2155817/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
