Re: Question about upgrading tomcat-embed-core from 10.1.20 to 10.1.25

[Mark Thomas]

On 15/09/2024 00:37, KARR, DAVID wrote:

We build SpringBoot applications that reference "tomcat-embed-core" from 
"spring-boot-starter-jersey". We currently end up with version 10.1.20 of 
tomcat-embed-core, using spring-boot 3.2.5.  There is apparently a CVE for that version of 
tomcat-embed-core (I don't have the CVE handy right now).  The resolution is to replace it with 
version 10.1.25.  That, being a patch version, seems like a safe upgrade from a functionality point 
of view. Are there any known issues from performing that upgrade?


There is a known issue with non-blocking reads and chunked encoding in 
10.1.24 to 10.1.29.


I'd wait for 10.1.30 in a few days (HTTP/2 is broken in 10.1.29).

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Question about upgrading tomcat-embed-core from 10.1.20 to 10.1.25

[KARR, DAVID]

Thanks for that. Could you give me more info on those problems in 10.1.24-29, 
like links to the issues?

From: Mark Thomas 
Sent: Sunday, September 15, 2024 9:14 AM
To: users@tomcat.apache.org
Subject: Re: Question about upgrading tomcat-embed-core from 10.1.20 to 10.1.25

On 15/09/2024 00: 37, KARR, DAVID wrote: > We build SpringBoot applications 
that reference "tomcat-embed-core" from "spring-boot-starter-jersey". We 
currently end up with version 10. 1. 20 of tomcat-embed-core, using spring-boot 
3. 2. 5. There






On 15/09/2024 00:37, KARR, DAVID wrote:

> We build SpringBoot applications that reference "tomcat-embed-core" from 
> "spring-boot-starter-jersey". We currently end up with version 10.1.20 of 
> tomcat-embed-core, using spring-boot 3.2.5.  There is apparently a CVE for 
> that version of tomcat-embed-core (I don't have the CVE handy right now).  
> The resolution is to replace it with version 10.1.25.  That, being a patch 
> version, seems like a safe upgrade from a functionality point of view. Are 
> there any known issues from performing that upgrade?



There is a known issue with non-blocking reads and chunked encoding in

10.1.24 to 10.1.29.



I'd wait for 10.1.30 in a few days (HTTP/2 is broken in 10.1.29).



Mark





-

To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org

For additional commands, e-mail: 
users-h...@tomcat.apache.org

Re: Question about upgrading tomcat-embed-core from 10.1.20 to 10.1.25

[Chuck Caldarale]

> On Sep 15, 2024, at 17:03, KARR, DAVID  wrote:
> 
> Thanks for that. Could you give me more info on those problems in 10.1.24-29, 
> like links to the issues?


Look at the Coyote component in the 10.1 changelog for the details:
https://tomcat.apache.org/tomcat-10.1-doc/changelog.html

The 10.1.29 HTTP/2 problem and fix are described here:
https://bz.apache.org/bugzilla/show_bug.cgi?id=69320

  - Chuck


> From: Mark Thomas 
> Sent: Sunday, September 15, 2024 9:14 AM
> To: users@tomcat.apache.org
> Subject: Re: Question about upgrading tomcat-embed-core from 10.1.20 to 
> 10.1.25
> 
> On 15/09/2024 00: 37, KARR, DAVID wrote: > We build SpringBoot applications 
> that reference "tomcat-embed-core" from "spring-boot-starter-jersey". We 
> currently end up with version 10. 1. 20 of tomcat-embed-core, using 
> spring-boot 3. 2. 5. There
> 
> 
> On 15/09/2024 00:37, KARR, DAVID wrote:
> 
>> We build SpringBoot applications that reference "tomcat-embed-core" from 
>> "spring-boot-starter-jersey". We currently end up with version 10.1.20 of 
>> tomcat-embed-core, using spring-boot 3.2.5.  There is apparently a CVE for 
>> that version of tomcat-embed-core (I don't have the CVE handy right now).  
>> The resolution is to replace it with version 10.1.25.  That, being a patch 
>> version, seems like a safe upgrade from a functionality point of view. Are 
>> there any known issues from performing that upgrade?
> 
> 
> There is a known issue with non-blocking reads and chunked encoding in 
> 10.1.24 to 10.1.29.
> 
> I'd wait for 10.1.30 in a few days (HTTP/2 is broken in 10.1.29).