Tomcat CVE watch

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat CVE watch

Darryl Philip Baker
We have switched from using the Red Hat supplied version of Tomcat to the Apache supplied binary distribution. My management would like me to follow any CVE related to Tomcat. I am wondering if there is a mailing list, I can subscribe to that will give me just those items.

I should be following all the CVEs but there are not enough hours in the day to do that and stay on top of my assigned duties.

This is on top of designing an update cycle that we can make work. There are not enough people cycles to install and regression test every point release across every application we have using Tomcat.

Darryl Baker, GSEC  (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
1800 Sherman Ave.
Suite 6-600 – Box #39
Evanston, IL  60201-3715
[hidden email]<mailto:[hidden email]>
(847) 467-6674

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat CVE watch

calder
On Sat, Jul 25, 2020, 09:55 Darryl Philip Baker <
[hidden email]> wrote:

> We have switched from using the Red Hat supplied version of Tomcat to the
> Apache supplied binary distribution. My management would like me to follow
> any CVE related to Tomcat. I am wondering if there is a mailing list, I can
> subscribe to that will give me just those items.
>

http://tomcat.apache.org/lists.html#tomcat-announce

"The list is used to announce Tomcat releases, security vulnerabilities and
other project announcements."