Supersedes #29245
Comment From: astellingwerf
Hi @snicoll , would this change be released as a 2.6.x release? Without it, 2.6.3 is susceptible to CVE-2022-23181.
Comment From: snicoll
@astellingwerf every single release of Spring Boot is going through a semi-automated upgrade process.
Comment From: wilkinsona
In other words, yes, Tomcat 9.0.58 (or later) will be part of the next 2.6.x release. It'll also be in the next 2.5.x release as well.
In the meantime, you can use tomcat.version to override the version.
Comment From: astellingwerf
Thanks @wilkinsona, that's a concrete answer to my specific question.