Re: Why only old Java?
For years I've been downloading my own Java and putting it in /opt/java rather than have any linux distro take care of it.
About half a year ago, I decided to let the repo (or in this case the PPA) do it.
Then I went through a PCI compliance process (so you can process credit cards) for one of the servers I'd made this switch on. It's a PITA.
So here's the deal. Any distro has a period of testing before they include a new release into the repository. That's what everybody expects, and that's the reason they attribute to any delay.
12.04 is a long-term support release. So what they did here is pick a point in time, freeze the versions of the upstream product and then call that stable. After that they kept the same upstream version and then applied security and maybe stability fixes, no new features. You can look here: http://people.canonical.com/~ubuntu-security/cve/ and enter the CVE (standard vulnerability identifier) to see whether the vulnerability has been fixed for your version of Ubuntu.
I would strongly recommend that anything you do with Java or Tomcat be done by downloading your own and installing it someplace like /usr/local/java or /opt. Get on the updates mailing list from Oracle. Checking every couple weeks to see if everything is up-to-date is much less pain than trying to check if the tomcat or Java that Ubuntu (or any other distro) has had a patch backported, filing an exception request (which takes a week or so to process) and then re-running an external third-party vulnerability scan.
For what it's worth, I stayed with the Ubuntu version of apache2 for the front-end.
Help stamp out MBR partition tables. Use GPT instead!