springboot Please Upgrade to Tomcat 9.0.33

With the latest Spring Boot releases 2.1.13 and 2.2.5 Tomcat has been updated to Tomcat 9.0.31. This version closed a serious AJP CVE, therefore we have to update Tomcat as soon as possible. Unfortunately Tomcat 9.0.31 has another critical bug, when passing a SSL truststore as JVM option: https://bz.apache.org/bugzilla/show_bug.cgi?id=64141

Due to this bug our SSL connections with mutual authentication are not working anymore. I already tested adding the new Tomcat 9.0.33 as dependency. Using this version, the SSL connections are working again.

Please update to the newest Tomcat version and release a new Spring Boot version as soon as possible.

Thanks and best regards Roberto

Comment From: wilkinsona

Thanks, but as described in the issue creation template, there's no need to open an issue for a dependency upgrade. We'll pick up the latest release of Tomcat (and all our other dependencies) before our next releases. In the meantime you can use tomcat.version to override the version to meet your needs.