16 Jul 2026 18:27:57 Lisa Sayre <[email protected]>:
Hi,
My application is currently using Apache Tomcat 9.0.120 on a RHEL 9.2.
We plan to utilize Apache Tomcat 9.1.x once it is released.
We are concerned about the timing of the 9.1.x release and if we will
have enough time to migrate/upgrade our application to using 9.1 before
9.0.x is officially EOL - which we see on Apache's website states that
9.0 EOL is no earlier than March 31st 2027.
I understand that no release date has been provided for 9.1, but can
you provide guidance as to how long of a window or timeline software
vendors like us will have to migrate our applications before 9.0 is
EOL? The issue is security vulnerabilities.
12 months.
We have stated multiple times, on this mailing list, starting in March /
April this year that the first 9.1.x release will follow the final 9.0.x
release and that you will be able to treat it exactly like a 9.0.x to
9.0.x+1 update providing:
- you aren't using the APR connector
- if you are using Tomcat Native, you are using 2.0.x
You have from now (actually since ~April this year) to migrate off the
APR connector if you are using APR and to Native 2.0 x if you are using
Native 1.x.
The only reason there is a minor version bump is dropping APR support and
dropping Native 1.x support.
For example, we get notification from Apache on March 20th 2027 for a
9.0.x release - which is presumably the last 9.0 release before it is
EOL on March 31st 2027. We then get a notification from Apache on
March 27th for the 9.1.x release. This gives us three days to migrate,
test, and deliver our software to our customer base, and it gives them
very little time to upgrade so that they are covered in terms of
security vulnerabilities. Our customer's security teams are stating
that at midnight, March 31st, if Apache Tomcat is not upgraded to 9.1,
then the company will have to shut the application/system down to avoid
being vulnerable.
Then those security teams need to rethink their plans based on what is
actually happening rather than their misunderstanding of what is
happening.
All they need to do is treat it like just another point release. There
won't be any security vulnerabilities announced for the final 9.0.x
release until the first 9.1.x release is available with fixes for those
issues (unless the issue is in APR or Native 1.3.x in which case it won't
get fixed).
Better yet, tell them to buy some tickets to CoC Glasgow and they can
listen to me talking about the migration process and, if they still have
questions, I can answer them in person.
Any guidance on how much time will be given from the time Tomcat 9.1 is
released to the time 9.0 is EOL would be appreciated.
Thank you,
Lisa Sayre
I expect that last 9.0.x release will be in March 2027 and the first
9.1.x release will be in April 2027.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]