There is a new CVE with Tomcat
Lucee as distributed is not vulnerable as it requires a number of configuration changes which we do not set.
As part of the installer/express refactoring, we now produce express templates which can be used as templates for custom installs or to see the recommended configuration for Lucee on Tomcat.
https://update.lucee.org/rest/update/provider/expressTemplates
{
tomcat-9: "https://cdn.lucee.org/express-templates/lucee-tomcat-9.0.102-template.zip",
tomcat-11: "https://cdn.lucee.org/express-templates/lucee-tomcat-11.0.5-template.zip",
tomcat-10: "https://cdn.lucee.org/express-templates/lucee-tomcat-10.1.39-template.zip"
}
You can either look at the express templates, or Lucee express distribution to see how we configure Tomcat.
The code for this is found in the Lucee installer repo
The Lucee Installer also now shows the bundled Java and Tomcat versions on the Welcome screen.
The Installer does allow selecting a different Lucee.jar, i.e. installing older versions.
Keep in mind, only Lucee 6.2+ supports Tomcat 10.1 and 11 (jakarta),
previous versions of Lucee only support / require Tomcat 9 (javax).