Needed for https://github.com/spring-projects/spring-boot/pull/37808

Comment From: philwebb

Looks like we might need to wait for 10.1.15 with this fix

Comment From: ndrscodes

Just a reminder:

As already mentioned in #37845, The current tomcat version is vulnerable to CVE-2023-44487. The vulnerability is expoitable and currently awaiting analysis at NIST. It was rated as a high severity vulnerability with a score of 7.5 by Snyk.

Once the fix is in place, i think this should be rolled out rather sooner than later :)

Comment From: grgrzybek

Just a reminder - you also need this fix related to gzip compression.

@philwebb hi - I didn't find a ticket for Spring Boot 2.7.x which uses Tomcat 9.0.80 affected by CVE-2023-44487. Mind that there's the same situation - version 9.0.81 fixes this CVE, but breaks gzip encoding. 9.0.82 should be available soon (under ASF voting now).

Comment From: grgrzybek

Tomcat 9.0.82 is already available. 10.1.15 should be in Maven Central soon I guess.

Comment From: wilkinsona

Thanks for the info, but it isn't really necessary. Please rest assured that we're well aware of the situation with CVE-2023-44487 and we will be upgrading our various web server dependencies once the remaining releases are available.

In the hope that it minimises any further noise for those watching the repository, I am going to lock this issue.

The next Spring Boot releases will be on 19 October as planned. In the meantime, if your chosen web server has released a version that mitigates CVE-2023-44487, you can upgrade to it by overriding Spring Boot's dependency management.

Comment From: wilkinsona

Superseded by https://github.com/spring-projects/spring-boot/issues/37901.