You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by suresh babu yella <su...@gmail.com> on 2013/05/08 18:11:45 UTC
Fix CVE tomcat 6.0.18 with out upgrade
We are using tomcat 6.0.18 and we found below number of Common
Vulnerabilities and Exposures (CVE).
High Vulns: 98
Medium Vulns: 50
Low Vulns: 6
We cannot upgrade/patch any of those components due to supportability
concerns from Autonomy.
How can I apply a fix for all the CVE, I see the build instructions in
below link but I was looking for applying the fixes without upgrade.
Security -
http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities
Build Instructions - http://tomcat.apache.org/tomcat-6.0-doc/building.html
Thanks
Re: Fix CVE tomcat 6.0.18 with out upgrade
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Suresh,
On 5/8/13 12:11 PM, suresh babu yella wrote:
> We are using tomcat 6.0.18 and we found below number of Common
> Vulnerabilities and Exposures (CVE).
>
> High Vulns: 98
>
> Medium Vulns: 50
>
> Low Vulns: 6 We cannot upgrade/patch any of those components due to
> supportability concerns from Autonomy.
>
> How can I apply a fix for all the CVE
Easy:
C:\Program Files\Apache Software Foundation\Tomcat 6.0.18> bin\shutdown.sh
Fixed.
> I see the build instructions in below link but I was looking for
> applying the fixes without upgrade.
You would have to read the entire Subversion repository history
involving Tomcat, evaluate each commit to determine its applicability
to each CVE, apply them in order, fix any conflicts, then build the
resulting source tree.
Oh, and you'd then once again have an unsupported version of Tomcat
(unsupported by both the ASF and Autonomy).
Tomcat does not provide patches for CVEs: instead, the Tomcat team
provides whole new versions that include (alleged) fixes for those
CVEs. It's time to upgrade: you are hideously out of date.
If Autonomy won't support running on a properly-patched version of
Tomcat, then you shouldn't be running their software.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJRio2AAAoJEBzwKT+lPKRY7bsP/24Zj3JyUI2IAkvpJHIOLom3
rJkIwsgj2fqugxY4pjFGjQKH/6hYTAlXJl+4SvWaI3JsQYpKpg0jTEXiVJNH5aNt
hvGYEb0SLXQ4kjIY0LM/MtdFMms7lAABH2/ulIj3eQyTY/1xbJY9sUpZQvqX2TAB
O4WwoM+mhtP+J1fUSiIT1SkeAjGvUkndsrO+Rmb4craR18yq5e49fsrL8UbsjNSF
+579TywwiNW0JqefFn88AAXvtRUXQdnSNaeCTTIZOgbQqcDp+UoByWokOFc4jjon
xpe5W2rQZCnwz5TDO7yNSUcJrtQA0YFEOUURgn5/Rxi6wSzRobSTuiKbXYq1+fuv
Ju4RwzRc7+Zu/q5YtiWQd0/HUOmsxtO+9MuF/GmXGm8+FHEnP9YZZ46waRhfCd9Y
iR1wbwW39ODWYIUUbL8TGqGvJpb/bvEj4oBidYFSe5BRMRKFEFZ69QY2UCJE8d70
+WWCXkTVv2sqKxkuJCqCheWlrhLRTWWJUeRIBKay4CJQvTPYx0itTX6CVH3Louve
q7uXAagFh5Dftcq5pKQGM94Ot+ph2pGaipXzYzJE6UnAdoY4uuyZVLCPA0jUICx+
ld4yFFyXosXbG2ARFMphIbZmzEjnURbDKU+40IhHvBgTmZS0UA7bFjfdDDhdS2Gq
ZP2D2XBEowuUulNkkqjl
=w2M5
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix CVE tomcat 6.0.18 with out upgrade
Posted by David Smith <da...@cornell.edu>.
On 5/8/13 1:17 PM, suresh babu yella wrote:
> Hi Dan,
>
> We might consider for upgrading the tomcat later, due to to supportability
> concerns from Autonomy we cannot upgrade it to any of the higher version.
>
> but right now we are looking to apply the fix for all CVE's we identified,
> it will be great if you can let me know the procedure.
>
>
Then upgrade, but keep it within the Tomcat 6.0.x versions. Going up to
6.0.37 should be perfectly safe. Put up a test env and try it.
--David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix CVE tomcat 6.0.18 with out upgrade
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On May 8, 2013, at 1:17 PM, suresh babu yella wrote:
> Hi Dan,
>
> We might consider for upgrading the tomcat later, due to to supportability
> concerns from Autonomy we cannot upgrade it to any of the higher version.
I don't know that vendor, but it sounds like you might need to have a conversation with them and see what is taking them so incredibly long (6.0.18 was released in Jul 2008) to upgrade.
>
> but right now we are looking to apply the fix for all CVE's we identified,
> it will be great if you can let me know the procedure.
Each of the security issues that have been fixed are documented at the link you included.
http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities
You might be able to go through and apply mitigations for each of them, but that's going to be a long and tedious process.
This is why you should really consider upgrading. That will bring everything up-to-date in one step.
Dan
>
> Thanks
> Suresh
>
>
> On Wed, May 8, 2013 at 10:11 AM, Daniel Mikusa <dm...@gopivotal.com>wrote:
>
>> On May 8, 2013, at 12:11 PM, suresh babu yella wrote:
>>
>>> We are using tomcat 6.0.18 and we found below number of Common
>>> Vulnerabilities and Exposures (CVE).
>>
>> Not surprising given the version that you are using. Latest version is
>> 6.0.37.
>>
>>>
>>> High Vulns: 98
>>>
>>> Medium Vulns: 50
>>>
>>> Low Vulns: 6
>>> We cannot upgrade/patch any of those components due to supportability
>>> concerns from Autonomy.
>>>
>>> How can I apply a fix for all the CVE, I see the build instructions in
>>> below link but I was looking for applying the fixes without upgrade.
>>
>> You should really consider upgrading. Why are you so opposed to upgrading?
>>
>> Dan
>>
>>>
>>> Security -
>>>
>> http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities
>>> Build Instructions -
>> http://tomcat.apache.org/tomcat-6.0-doc/building.html
>>>
>>>
>>> Thanks
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix CVE tomcat 6.0.18 with out upgrade
Posted by Mark Thomas <ma...@apache.org>.
suresh babu yella <su...@gmail.com> wrote:
>Hi Dan,
>
>We might consider for upgrading the tomcat later, due to to
>supportability
>concerns from Autonomy we cannot upgrade it to any of the higher
>version.
>
>but right now we are looking to apply the fix for all CVE's we
>identified,
>it will be great if you can let me know the procedure.
The only available procedure is to upgrade. We do not provide patches for old releases.
Mark
>
>Thanks
>Suresh
>
>
>On Wed, May 8, 2013 at 10:11 AM, Daniel Mikusa
><dm...@gopivotal.com>wrote:
>
>> On May 8, 2013, at 12:11 PM, suresh babu yella wrote:
>>
>> > We are using tomcat 6.0.18 and we found below number of Common
>> > Vulnerabilities and Exposures (CVE).
>>
>> Not surprising given the version that you are using. Latest version
>is
>> 6.0.37.
>>
>> >
>> > High Vulns: 98
>> >
>> > Medium Vulns: 50
>> >
>> > Low Vulns: 6
>> > We cannot upgrade/patch any of those components due to
>supportability
>> > concerns from Autonomy.
>> >
>> > How can I apply a fix for all the CVE, I see the build instructions
>in
>> > below link but I was looking for applying the fixes without
>upgrade.
>>
>> You should really consider upgrading. Why are you so opposed to
>upgrading?
>>
>> Dan
>>
>> >
>> > Security -
>> >
>>
>http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities
>> > Build Instructions -
>> http://tomcat.apache.org/tomcat-6.0-doc/building.html
>> >
>> >
>> > Thanks
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fix CVE tomcat 6.0.18 with out upgrade
Posted by suresh babu yella <su...@gmail.com>.
Hi Dan,
We might consider for upgrading the tomcat later, due to to supportability
concerns from Autonomy we cannot upgrade it to any of the higher version.
but right now we are looking to apply the fix for all CVE's we identified,
it will be great if you can let me know the procedure.
Thanks
Suresh
On Wed, May 8, 2013 at 10:11 AM, Daniel Mikusa <dm...@gopivotal.com>wrote:
> On May 8, 2013, at 12:11 PM, suresh babu yella wrote:
>
> > We are using tomcat 6.0.18 and we found below number of Common
> > Vulnerabilities and Exposures (CVE).
>
> Not surprising given the version that you are using. Latest version is
> 6.0.37.
>
> >
> > High Vulns: 98
> >
> > Medium Vulns: 50
> >
> > Low Vulns: 6
> > We cannot upgrade/patch any of those components due to supportability
> > concerns from Autonomy.
> >
> > How can I apply a fix for all the CVE, I see the build instructions in
> > below link but I was looking for applying the fixes without upgrade.
>
> You should really consider upgrading. Why are you so opposed to upgrading?
>
> Dan
>
> >
> > Security -
> >
> http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities
> > Build Instructions -
> http://tomcat.apache.org/tomcat-6.0-doc/building.html
> >
> >
> > Thanks
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Fix CVE tomcat 6.0.18 with out upgrade
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On May 8, 2013, at 12:11 PM, suresh babu yella wrote:
> We are using tomcat 6.0.18 and we found below number of Common
> Vulnerabilities and Exposures (CVE).
Not surprising given the version that you are using. Latest version is 6.0.37.
>
> High Vulns: 98
>
> Medium Vulns: 50
>
> Low Vulns: 6
> We cannot upgrade/patch any of those components due to supportability
> concerns from Autonomy.
>
> How can I apply a fix for all the CVE, I see the build instructions in
> below link but I was looking for applying the fixes without upgrade.
You should really consider upgrading. Why are you so opposed to upgrading?
Dan
>
> Security -
> http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities
> Build Instructions - http://tomcat.apache.org/tomcat-6.0-doc/building.html
>
>
> Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org