According to Apache Tomcat® - Apache Tomcat 9 vulnerabilities we should ensure that the docker image for geoserver is using the latest tomcat version.
Currently im using 2.27.1, and apparently it is not using the latest version, and so it is vulnerable. - will 2.28.0 use the latest tomcat version ?
regards
Torben
Open Source software is a do-ocracy so it is up to the users to fix things if they can. So please send in your PR to update the docker image
Ian
The docker-release runs release.sh. It grabs the latest tomcat9 each time:
if [[ "$VERSION" == "3."* ]]; then
GEOSERVER_BASE_IMAGE=tomcat:11.0-jdk21-temurin-noble
else
GEOSERVER_BASE_IMAGE=tomcat:9.0-jdk17-temurin-noble
fi
So in this case the release could be run again, using 2.27.1 and 2.28.0 release parameters.
However I am not sure how sustainable that is? 2.27.1 is no longer the current, 2.27.3 is the most recent maintenance release.
Jody
Once a patch version is tagged it should not be re-built / published with the same tag. The GeoServer project is not well suited to publishing evergreen versions such as -latest because of the way upgrades work.
As Jody says, 2.27.1 is out-of-date, it dates back to May 2025 you should be using 2.27.3 as it adresses important security issues.
You could ofcourse always build your own image; all the scripts are available at GitHub - geoserver/docker: GeoServer docker image