Tomcat has been updated to version 9.0.71 (see Changelog Tomcat 9.0.71 ) to prevent known vulnerabilities.

Please be aware that Tomcat >= 9.0.69 serves cookies with dates formatted as required by RFC 6265 (see Changelog Tomcat 9.0.69 ). This may have to be respected in HTTP client implementations. When e.g. the Apache HttpClient is used and cookies are retrieved via the CookieStore , the cookie specification must be set to standard - see RequestConfig.Builder#setCookieSpec and CookieSpecs .

Furthermore, the properties for the Tomcat versions have been consolidated. There's no need to use different properties for Tomcat and Embedded Tomcat dependencies, hence the tomcat.embed.version properties have been dropped and Tomcat versions are now uniquely configured with the tomcat.version property.

(CMS-22521)