Pki-servlet-engine marked as 'Will not fix' for newer CVEs

Hi ,
we are at katello 4.10 and foreman 3.8 on Oracle Linux 8 server for katello , and pki-servlet-engine-9.0.50-1 is the latest update , there are a few CVE security tickets about this version of pki-servlet-engine, some of these showed “will not fix” on Red Hat site .
According to Why is pki-servlet-engine marked as 'Will not fix' for newer CVEs? - Red Hat Customer Portal, Red Hat will not provide fix to pki-sevlet-engine package anymore but instead will do it for the tomcat package . Is there a plan to move away from pki-servlet-engine package and use tomcat instead for katello ?

Thanks.

I’m looking for an answer to this question as well.

Me too.

@ehelms I see you’ve been involved in 2215345 – Tomcat version shipped with Satellite 6.11\12\13 are susceptable to many CVEs as reported by Nessus and Qualys VA scan., can you shed any light here?

I think many of us would like to know how CVEs are fixed in foreman and katello generally. I know of being those fixed in RedHat Satellite but how it is in upstream ?

Both pki-servlet-engine and tomcat come from the underlying OS packages, and users consume fixes for those from their choice of OS. Depending on where your choice of OS is at in the lifecycle - CentOS Stream, RHEL or a RHEL re-builder will determine when you are able to see and consume updates for CVEs generally speaking.

As for pki-servlet-engine and tomcat, due to modularity not playing nicely we have had to work with the maintainers of those packages to figure out a solution that will allow us to make use of the tomcat package itself without breaking upgrades. There is a tested solution that should be hitting CentOS 8 Stream soon and then each OS will receive the update on their own cadence in the ecosystem.