tomcat10 version for Noble

Asked by Simon Burke

The tomcat10 package for 24.04 is currently 11months old, and has multiple high scoring CVE's available. However the tomcat10 package has been updated for 24.10 to fix these in

CVEs:
CVE-2024-24549
CVE-2024-23672
CVE-2024-38286
CVE-2024-34750

Sources:
CVEs: https://tomcat.apache.org/security-10.html
Current packages: https://launchpad.net/ubuntu/+source/tomcat10

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu tomcat10 Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Simon Burke (simonb2048) said :
#1

I am already aware that SRU policy states they will not fix.
Security team have yet to comment.

The existing package is 11months old and has multiple DoS vulnerabilities, one of which may effect the entire system. All of which are rated high.

Revision history for this message
Simon Burke (simonb2048) said :
#2

I understand that the security team should evaluate and provide a fix, but currently the CVEs have not been reviewed, and most of them have been available for some time.

So therefore I would like to know how we can progress the appropriate patches and builds to provide a less vulnerable release?

Even if the CVEs are not a factor, 11months is substantial amount of time for a potentially internet facing application. These updates would also be covered by the SRU.

There are at least two applicable cases in the SRU requirements https://canonical-sru-docs.readthedocs-hosted.com/en/latest/reference/requirements/#what-is-acceptable-to-sru

Revision history for this message
Simon Burke (simonb2048) said :
#3

Security team have now told me that "tomcat10 is in universe, therefore it is community maintained."

Revision history for this message
actionparsnip (andrew-woodhead666) said :
#4

Can you help with this problem?

Provide an answer of your own, or ask Simon Burke for more information if necessary.

To post a message you must log in.