Tomcat version i geoserver image, contains a vulnerable tomcat version

According to Apache Tomcat® - Apache Tomcat 9 vulnerabilities we should ensure that the docker image for geoserver is using the latest tomcat version.

Currently im using 2.27.1, and apparently it is not using the latest version, and so it is vulnerable. - will 2.28.0 use the latest tomcat version ?

regards

Torben

Open Source software is a do-ocracy so it is up to the users to fix things if they can. So please send in your PR to update the docker image

Ian

The docker-release runs release.sh. It grabs the latest tomcat9 each time:

      if [[ "$VERSION" == "3."* ]]; then
         GEOSERVER_BASE_IMAGE=tomcat:11.0-jdk21-temurin-noble
      else
         GEOSERVER_BASE_IMAGE=tomcat:9.0-jdk17-temurin-noble
      fi

So in this case the release could be run again, using 2.27.1 and 2.28.0 release parameters.

However I am not sure how sustainable that is? 2.27.1 is no longer the current, 2.27.3 is the most recent maintenance release.

Jody

Once a patch version is tagged it should not be re-built / published with the same tag. The GeoServer project is not well suited to publishing evergreen versions such as -latest because of the way upgrades work.

As Jody says, 2.27.1 is out-of-date, it dates back to May 2025 you should be using 2.27.3 as it adresses important security issues.

You could ofcourse always build your own image; all the scripts are available at GitHub - geoserver/docker: GeoServer docker image