You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Darryl Philip Baker <da...@northwestern.edu> on 2020/07/25 14:53:53 UTC

Tomcat CVE watch

We have switched from using the Red Hat supplied version of Tomcat to the Apache supplied binary distribution. My management would like me to follow any CVE related to Tomcat. I am wondering if there is a mailing list, I can subscribe to that will give me just those items.

I should be following all the CVEs but there are not enough hours in the day to do that and stay on top of my assigned duties.

This is on top of designing an update cycle that we can make work. There are not enough people cycles to install and regression test every point release across every application we have using Tomcat.

Darryl Baker, GSEC  (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
1800 Sherman Ave.
Suite 6-600 – Box #39
Evanston, IL  60201-3715
darryl.baker@northwestern.edu<ma...@northwestern.edu>
(847) 467-6674

Re: Tomcat CVE watch

Posted by calder <ca...@gmail.com>.

On Sat, Jul 25, 2020, 09:55 Darryl Philip Baker <
darryl.baker@northwestern.edu> wrote:

> We have switched from using the Red Hat supplied version of Tomcat to the
> Apache supplied binary distribution. My management would like me to follow
> any CVE related to Tomcat. I am wondering if there is a mailing list, I can
> subscribe to that will give me just those items.
>

http://tomcat.apache.org/lists.html#tomcat-announce

"The list is used to announce Tomcat releases, security vulnerabilities and
other project announcements."