Needs backport because of the CVE reports: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
The Apache Tomcat team announces the immediate availability of Apache
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.43 is a bugfix and feature release. The notable
changes compared to 9.0.41 include:
- Add support for using Unix domain sockets for NIO when running on Java
16 or later.
- Add a new StringInterpreter interface that allows applications to
provide customised string attribute value to type conversion within
JSPs. This allows applications to provide a conversion implementation
that is optimised for the application.
- Add peerAddress to coyote request, which contains the IP address of
the direct connection peer. If a reverse proxy sits in front of Tomcat
and the RemoteIp(Valve|Filter) is used, the peerAddress is likely to
differ from the remoteAddress. The remoteAddress is likely to contain
the address of the client in front of the reverse proxy, not the
address of the proxy itself.
Please refer to the change log for the complete list of changes: