Vulnerability Resolution Timeline

The following vulnerabilities have been detected by our scanners in the Foreman application:

Apache Tomcat 9.0.0-M1 < 9.0.68 Request Smuggling Vulnerability
Apache Commons Text 1.5.x < 1.10.0 Remote Code Execution
PostgreSQL JDBC Driver 42.2.x < 42.2.27 / 42.3.x < 42.3.8 / 42.4.x < 42.4.3 / 42.5.x < 42.5.1 Information Disclosure

Expected outcome:
The indicated software packages must be updated to the following versions to close detected vulnerabilities:

Apache Tomcat - 9.0.69
Apache Commons Text - 1.10.0
PostgreSQL JDBC Driver - 42.4.3

Is implementation of the above updates currently planned for a future release? If so, is there an expected timeline available for these updates?

What scanner? Did it actually tested for vulnerabilities or did it only find out the versions of the software? Do you know how RHEL-derivates work?

Requirements like these will not really work on a RHEL-derived system…

Also, what version of Foreman on what OS platform version?

@gvde Nessus, and it seems like it is only checking for the affected software versions.

I see what you mean, these packages seem to be sourced from RedHat, not bundled with Foreman. Bad information on my side.