You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Cherie Barnes <my...@netscape.net> on 2007/06/22 16:05:32 UTC
Are vulnerability patches available for Tomcat 5.5.23
Are there any patches available for the Apache Tomcat Application Server
(downloaded from tomcat.apache.org)? I recently upgraded to 5.5.23 and
find that there is a security flaw ( CVE-2007-2450
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450>) that
needs to be fixed. I really don't want to have to re-install everytime
a security flaw is found. Are there any patches that can be applied to
comply with the security vulnerabilities. I do not have a Solaris 10
build environment yet so I can't rebuild the server either. I tried
asking the security@tomcat.apache.org, but they told me I had to ask the
user group. Please let me know if there is a place where tomcat apache
patches can be found for Solaris 10.
Thanks in advance,
Cherie
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Are vulnerability patches available for Tomcat 5.5.23
Posted by Rainer Jung <ra...@kippdata.de>.
Tomcat 5.5.24 is expected to be released in a few days.
The vulnerability you cited should be rated low impact for most people.
There is a similar open issue, both are shortly described on the page
http://tomcat.apache.org/security-5.html
Both issues only affect the example webapps (which you would never
deploy in productipon, if you are security aware) and the manager
webapp, which will only be used by system administration people.
Regards,
Rainer
Cherie Barnes wrote:
> Are there any patches available for the Apache Tomcat Application Server
> (downloaded from tomcat.apache.org)? I recently upgraded to 5.5.23 and
> find that there is a security flaw ( CVE-2007-2450
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450>) that
> needs to be fixed. I really don't want to have to re-install everytime
> a security flaw is found. Are there any patches that can be applied to
> comply with the security vulnerabilities. I do not have a Solaris 10
> build environment yet so I can't rebuild the server either. I tried
> asking the security@tomcat.apache.org, but they told me I had to ask the
> user group. Please let me know if there is a place where tomcat apache
> patches can be found for Solaris 10.
> Thanks in advance,
> Cherie
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Are vulnerability patches available for Tomcat 5.5.23
Posted by Hassan Schroeder <ha...@gmail.com>.
On 6/22/07, Cherie Barnes <my...@netscape.net> wrote:
> I really don't want to have to re-install everytime...
> I do not have a Solaris 10 build environment yet so I can't rebuild
> the server either.
? If installing a new (minor) release seems like a big deal, I'd suggest
you're doing something wrong :-)
What "rebuild"? Untar; copy config files; set CATALINA_HOME to new
value and go. The only requirement is keeping your appBase outside
the Tomcat installation directory.
IMHO,
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Are vulnerability patches available for Tomcat 5.5.23
Posted by Cherie Barnes <my...@netscape.net>.
Thanks, that is what I was afraid of......Maybe it's time I put a
build environment together.....
markt@apache.org wrote:
> Cherie Barnes wrote:
>
>>Are there any patches available for the Apache Tomcat Application Server
>>(downloaded from tomcat.apache.org)?
>
>
> In 99.9% of cases we do not provide a patch, we provide a new release.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Are vulnerability patches available for Tomcat 5.5.23
Posted by Mark Thomas <ma...@apache.org>.
Cherie Barnes wrote:
> Are there any patches available for the Apache Tomcat Application Server
> (downloaded from tomcat.apache.org)?
In 99.9% of cases we do not provide a patch, we provide a new release.
Mark
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org