Endless Lifecycle Support for Libraries
Available Guides for ELS for Libraries
If something's missing or you have questions, contact sales@tuxcare.com.
- Ecosystem
- Product
- Versions
- Java
- JavaScript
- Python
- PHP
- .NET
Java
JavaScript
Python
PHP
.NET- Apache Avro1.10.2→
- Apache Axis1.4→
- Apache Commons BeanUtils1.9.4→
- Apache Commons Compress1.20→
- Apache Commons HttpClient3.1→
- Apache Commons IO2.5 | 2.7→
- Apache Commons Lang2.4 | 2.6→
- Apache Commons Lang33.4 | 3.8.1 | 3.10 | 3.12.0 | 3.17.0→
- Apache CXF3.5.9 | 3.5.11→
- Apache HttpComponents Client4.5.2→
- Apache Kafka®3.2.3→
- Apache Log4j1.2.17→
- Apache Lucene®5.5.5→
- Apache Solr5.5.5→
- Apache Maven3.8.1→
- Apache Maven Shared Utils3.2.1→
- Apache Spark™2.4.8→
- Apache Struts™1.3.5 | 2.5.33→
- Apache Thrift0.9.1 | 0.9.3→
- Apache Tomcat®8.5.100 | 9.0.46 | 9.0.50 | 9.0.75 | 9.0.83 | 9.0.87 | 9.0.90 | 9.0.100 | 10.1.18→
- Apache Velocity Engine™1.7→
- Apache XMLBeans2.6.0→
- Bouncy Castle1.64 | 1.76→
- DNSJava2.1.7→
- Dom4j1.6.1→
- Eclipse JGit5.7.0 | 5.13.3→
- Eclipse Parsson1.0.0→
- EdDSA0.3.0→
- el-spec3.0.0→
- Google Gson2.8.5 | 2.9.1→
- Google Guava20.0 | 25.1-android | 25.1-jre | 27.1-android | 27.1-jre | 30.1-jre | 31.1-jre→
- Google Guice4.2.1→
- Google OAuth Client1.25.0→
- H2 Database1.4.200→
- Hazelcast4.2.8→
- Hibernate5.4.32.Final | 5.6.15.Final→
- Hibernate Search5.11.10.Final→
- HtmlUnit2.70.0→
- iText2.1.7→
- Jackson1.9.13→
- JBoss XNIO3.8.0→
- JDOM1.0 | 1.1.3→
- JSON20090211 | 20140107→
- JSON Assert1.2.3→
- JSON Smart v22.4.8→
- Logback1.1.7 | 1.2.13 | 1.4.14→
- LZ41.8.1→
- Mozilla Rhino1.7.10 | 1.7.15→
- NekoHTML1.9.22→
- Netty4.1.115.Final | 4.1.63.Final→
- Nimbus JOSE + JWT9.22 | 9.24.4→
- OkHttp33.14.9→
- Okio2.8.0 | 2.10.0→
- Plexus Utils1.4.5 | 1.5.8→
- PostgreSQL driver42.2.16 | 42.5.0→
- Protobuf2.5.0 | 2.6.1→
- Querydsl5.1.0→
- Reactor BOM2020.0.23 | 2020.0.38 | 2022.0.15→
- Reactor Netty1.0.23 | 1.0.32 | 1.0.39 | 1.1.15→
- RSocket1.1.3→
- SnakeYAML1.23 | 1.26 | 1.29 | 1.30 | 1.33→
- Snappy Java1.1.8.4→
- Sonatype Aether1.13.1→
- Spring® Framework versions vary per module →
- Spring® AMQP2.4.17→
- Spring® Batch4.3.10→
- Spring® Boot versions vary per module →
- Spring® Cloud3.1.9→
- Spring® Data versions vary per module →
- Spring® Security versions vary per module →
- Spring® Security OAuth1.1.1→
- Spring® Web Services3.1.8→
- Spring® Integration5.5.20→
- Spring® HATEOAS1.5.6→
- Spring® LDAP versions vary per module →
- Spring® GraphQL1.0.6→
- Spring® Retry1.3.4→
- Spring® Plugin2.0.0→
- Spring® Web Flow2.3.1 | 2.3.3→
- Thymeleaf3.0.15.RELEASE→
- Undertow2.2.33.Final | 2.3.10.Final→
- Woodstox5.0.3→
- Xerces2.11.0→
- XMLUnit2.9.1 | 2.9.0→
- Eclipse Jetty8.2.0.v20160908 | 9.4.24.v20191120 | 9.4.48.v20220622 | 9.4.53.v20231009 | 9.4.59 | 10.0.27 | 11.0.19 | 11.0.27→
- Apache Santuario XML Security For Java2.0.10 | 2.3.1→
Vulnerability Coverage and Target Response Times
TuxCare employs the Common Vulnerability Scoring System (CVSS v3.1) to assess the severity of security vulnerabilities. Our severity rating system for patching vulnerabilities integrates both NVD scoring and vendor scoring (when available). When the vendor's score is lower than the NVD score, we prioritize the NVD score.
Aligning with many industry standards and regulatory requirements, TuxCare is committed to delivering timely security updates. For instance, the Payment Card Industry Data Security Standard (PCI DSS) mandates that all 'High' vulnerabilities (CVSS score of 7.0+) must be addressed within 30 days. Other regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) for healthcare or the Federal Information Security Management Act (FISMA) for government agencies, uphold similar requirements.
Vulnerability coverage. TuxCare shall provide security patches for critical- and high-risk (CVSS 7.0 and above), medium-risk (CVSS 4.0 to 6.9), and low-risk (CVSS 0.1 to 3.9) vulnerabilities. TuxCare reserves the right to offer a mitigation strategy as an alternative to a direct code fix.
Response time. TuxCare will make commercially reasonable efforts to adhere to the following guidelines when addressing vulnerabilities:
- High- and critical-risk vulnerabilities (CVSS 7.0 and above): Patches are provided within 14 days from the date the vulnerabilities are publicly disclosed.
- Medium-risk vulnerabilities (CVSS 4.0 to 6.9): Patches are provided within 60 days from the date the vulnerabilities are publicly disclosed.
- Low-risk vulnerabilities (CVSS 0.1 to 3.9): Patches are provided within 90 days from the date the vulnerabilities are publicly disclosed.
Incident Reporting and Response Timeframe
Customers can report vulnerabilities by submitting a ticket through the TuxCare Support Portal. TuxCare commits to providing an initial response to any reported issue within 3 days.
Requests for customer-directed security patches for CVEs that are outside of the ELS for Libraries scope will be reviewed within 3 working days. If the request is accepted, we will provide the patch within the next 60 days.
Handling Multiple Vulnerabilities: In cases where several CVEs are reported simultaneously for fixing, TuxCare will discuss and agree upon resolution timelines separately with the customer.
Enhanced Transparency & Visibility
TuxCare's commitment to transparency and visibility is foundational to our ELS for Libraries offering. We aim to provide comprehensive details about how each package is built, verified, and distributed, ensuring complete trust in the software supply chain.
- Software Bill of Materials (SBOM): We provide complete visibility into the software supply chain with a comprehensive inventory of every package in the codebase, ensuring transparency and accountability in your software ecosystem.
Note: SBOM support for certain components is in progress and will be available soon. To confirm current availability or expected timeframes, please contact sales@tuxcare.com.
- Enhanced Metadata in Standard Formats: Each SBOM is provided in universally recognized formats such as SPDX and VEX. These include enhanced metadata like artifact analysis, package health, and vulnerability impact data, ensuring that you have the most detailed and actionable information at your fingertips.
- Verifiable Integrity and Provenance: Our packages and metadata provide comprehensive end-to-end provenance, detailing how each package was constructed and tested, ensuring that all components in your software stack are trustworthy.
Note: This feature is under consideration for future development and may be available at a later date. If you are interested, please contact sales@tuxcare.com.
- Secure Distribution: Signed versions of the packages and their metadata are distributed from a registry managed, secured, and protected by TuxCare, guaranteeing that your software updates are authentic and untampered.
Support Duration
TuxCare provides continuous security patching for all supported end-of-life (EOL) technologies for as long as your organization requires them, eliminating the need for rushed or disruptive upgrades.
All updates are delivered at a fixed price for the full term of your contract, ensuring predictable costs and uninterrupted protection.
Technical Support
TuxCare provides technical support according to the standard support policy.
It delivers 24/7/365 access to TuxCare’s support team through the TuxCare Support Portal and to TuxCare’s online knowledge base.
Vulnerability Exploitability eXchange (VEX)
VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives, helps prioritize real risks.
Why it matters:
- Context-aware vulnerability status (“affected”, “not affected”, “fixed”)
- Cuts scanner noise to what truly matters
- Automation-friendly for tooling and CI/CD
Language-specific:
