On Ubuntu 16.04 I've been using the tomcat8 package. I enjoyed an automatic installation process and was guaranteed to receive packaged security updates for 5 years courtesy of Canonical. So, even though version 8.0 has been declared EOL, I can still use it on my Ubuntu server knowing that any vulnerabilities are going to be addressed.
$ ubuntu-support-status --show-supported
Supported until April 2021 (Canonical - 5y):
tomcat8 tomcat8-admin tomcat8-common
Much to my dismay, on Ubuntu 18.04 the tomcat8 package has been moved to Universe. In my understanding, there is no support guarantee and security patches may or may not be distributed as long as the mainstream product is supported by the Apache Foundation.
Is my understanding of things correct? Is there a convenient way to keep tomcat patched with security updates on Ubuntu 18.04 as easily as with 16.04?
Update: To be clearer, with 16.04 I could simply run apt update tomcat8 and be sure that there would be no vulnerabilities left unpatched. Running the same command today on 18.04, I get version 8.5.30-1ubuntu1 which is behind the latest available (8.5.37) and apparently affected by more than one known vulnerabilities.
No comments:
Post a Comment