Upgrade to Tomcat 9.0.36

[wilkinsona]

No description provided.

[rmkanda]

Vulnerability

tomcat-embed-core-9.0.34.jar (pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.34, cpe:2.3:a:apache:tomcat:9.0.34:*:*:*:*:*:*:*, cpe:2.3:a:apache_software_foundation:tomcat:9.0.34:*:*:*:*:*:*:*, cpe:2.3:a:apache_tomcat:apache_tomcat:9.0.34:*:*:*:*:*:*:*) : CVE-2020-9484

Dependency Tree

org.springframework.boot:spring-boot-starter-web:jar:2.2.7.RELEASE
|  +- org.springframework.boot:spring-boot-starter-json:jar:2.2.7.RELEASE
|  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.10.4
|  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.10.4
|  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.2.7.RELEASE
|  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.34
|  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.34
|  \- org.springframework:spring-web:jar:5.2.6.RELEASE

[rmkanda]

@wilkinsona Is there any plan to release spring-boot-starter-web and spring-boot-starter-tomcat ? Thanks

[wilkinsona]

@rmkanda Yes, we have some releases planned for tomorrow. You can always learn about our release plans on the project's milestone page.

FWIW, that vulnerability is a false-positive unless you have some custom (and quite unusual) Tomcat configuration.

[OldIMP]

After upgrading to sprint boot parent 2.3.1, we also got a false positive vulnerability about tomcat-embed-core 9.0.35 using OWASP dependency-check-maven-plugin and SonarQube