Hi Mike , Thanks for the email. Will continue with Apache Tomcat 9+ . But when we can expect the change in guacamole which supports Tomcat 10+?
On Fri, 6 Oct 2023 at 23:33, Michael Jumper <[email protected]> wrote: > On 10/6/2023 10:52 AM, Nick Couchman wrote: > > On Fri, Oct 6, 2023 at 1:27 PM Rihab Kasim <[email protected]> > wrote: > > > >> Can we do it by ourselves? Is it possible? If not when we can expect the > >> changes . Since upgrade to Tomcat 10+ is recommended due to some > >> vulnerabilities. > >> > >> > > Yes, you can definitely do it yourself - if you're going to undertake it, > > though, I'd recommend that you consider contributing the effort back to > the > > community via a pull request against the Jira issue that I mentioned. > There > > are several other folks who have asked about it, so there are many others > > who would benefit from that work. > > > > https://guacamole.apache.org/open-source/ > > > > Also, beware that the primary factor in the complexity of this is > maintaining compatibility. The easy route (simply replace all javax.* > with jakarta.*) will result in breaking changes to the extension API, > and even some third-party dependencies may not be compatible without > updates that may not yet have occurred. > > It's not correct that there is a need to upgrade to Tomcat 10+ due to > vulnerabilities. As Nick mentioned earlier in the thread, Tomcat 9.0.x > is actively developed and supported (latest release was 9.0.80 on > 2023-08-25). If a security issue is discovered with Tomcat 9.0.x, the > Tomcat security team should address it as they would with any > actively-supported Tomcat release. > > See: > > https://tomcat.apache.org/whichversion.html > https://tomcat.apache.org/security-9.html > https://tomcat.apache.org/download-90.cgi > > - Mike >
