[MGNLTOMCAT-25] Update to Tomcat 9.0.65 Created: 01/Jul/22  Updated: 18/Aug/22  Resolved: 25/Jul/22

Status: Closed
Project: Barebones Tomcat Bundle
Component/s: None
Affects Version/s: 1.1.10, 1.2.9
Fix Version/s: 1.1.11, 1.2.11

Type: Task Priority: Neutral
Reporter: Federico Grilli Assignee: Federico Grilli
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Task DoD:
[X]* Cloud deployments affected?
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Release notes required:
Yes
Date of First Response:
Team: Foundation

 Description   
[ERROR] One or more dependencies were identified with vulnerabilities: 
...
[ERROR] tomcat-9.0.64.tar.gz: tomcat-9.0.64.tar: catalina.jar: CVE-2022-34305(6.1)
...

[...] the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2022-34305

Magnolia bundles aren't affected as Tomcat samples are removed. Still, we're going to do the update asap as part of regular 3rd party deps maintenance thus avoiding to create a large version delta.



 Comments   
Comment by Jan Haderka [ 07/Jul/22 ]

Issues is with samples only. We can close it as soon as we verify that Magnolia bundle doesn't include tomcat samples.

Comment by Mikaël Geljić [ 21/Jul/22 ]

fwiw, Tomcat 9.0.65 was released on July 14.

Comment by Federico Grilli [ 25/Jul/22 ]

Tomcat version updated by Renovate in tomcat-barebone module, see
https://git.magnolia-cms.com/projects/PLATFORM/repos/tomcat-barebone/pull-requests/42/overview
https://git.magnolia-cms.com/projects/PLATFORM/repos/tomcat-barebone/pull-requests/43/overview

Generated at Sun Feb 11 23:26:46 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.