Tomcat patch management and patching best practices

[Murtaza Doctor <mf...@gmail.com>]

Dear Support,

We request your help/advice for the Tomcat Patch Management. We have
installed Tomcat server to host an application which is internally used in
our organisation. We donot have any current process/procedure to patch
Tomcat. So we are looking for your advice on this.

Please address my below queries:

1) What is the best procedure/practice to keep Tomcat up-to-date with
patches?

2) How frequently does Tomcat releases patches/updates? If patches are
available, please advice the link to access the patches and its details
(including steps to apply it)

3) Are separate patches released for security vulnerabilities fixed and bug
fixed in Tomcat application server?

Kindly advice. Your suggestion will help us in building our internal
processes. Thanks.

Kind Regards,
Murtaza Doctor.

Re: Tomcat patch management and patching best practices

[Mark Thomas <ma...@apache.org>]

The Apache Tomcat project does not provide patches for individual issues
and has no plans to change that.

The simplest way to manage updates is to separate CATALINA_HOME and
CATALINA_BASE as per
http://tomcat.apache.org/tomcat-9.0-doc/introduction.html#CATALINA_HOME_and_CATALINA_BASE
or
https://tomcat.apache.org/tomcat-9.0-doc/RUNNING.txt

Upgrades then become a case of:

Unpack new binary distribution
Stop Tomcat
Update CATALINA_HOME environment variable
Start Tomcat

Mark


On 07/02/2019 02:52, John Larsen wrote:
> Thats a really good question. We've simply replaced the entire tomcat
> installation and then rerun auto config.
> 
> Be nice if apache provided patches.
> 
> John
> 
> 
> On Wed, Feb 6, 2019 at 7:39 PM Murtaza Doctor <mf...@gmail.com> wrote:
> 
>> Dear Support,
>>
>> We request your help/advice for the Tomcat Patch Management. We have
>> installed Tomcat server to host an application which is internally used in
>> our organisation. We donot have any current process/procedure to patch
>> Tomcat. So we are looking for your advice on this.
>>
>> Please address my below queries:
>>
>> 1) What is the best procedure/practice to keep Tomcat up-to-date with
>> patches?
>>
>> 2) How frequently does Tomcat releases patches/updates? If patches are
>> available, please advice the link to access the patches and its details
>> (including steps to apply it)
>>
>> 3) Are separate patches released for security vulnerabilities fixed and bug
>> fixed in Tomcat application server?
>>
>> Kindly advice. Your suggestion will help us in building our internal
>> processes. Thanks.
>>
>> Kind Regards,
>> Murtaza Doctor.
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat patch management and patching best practices

[John Larsen <jo...@javapipe.com>]

Thats a really good question. We've simply replaced the entire tomcat
installation and then rerun auto config.

Be nice if apache provided patches.

John


On Wed, Feb 6, 2019 at 7:39 PM Murtaza Doctor <mf...@gmail.com> wrote:

> Dear Support,
>
> We request your help/advice for the Tomcat Patch Management. We have
> installed Tomcat server to host an application which is internally used in
> our organisation. We donot have any current process/procedure to patch
> Tomcat. So we are looking for your advice on this.
>
> Please address my below queries:
>
> 1) What is the best procedure/practice to keep Tomcat up-to-date with
> patches?
>
> 2) How frequently does Tomcat releases patches/updates? If patches are
> available, please advice the link to access the patches and its details
> (including steps to apply it)
>
> 3) Are separate patches released for security vulnerabilities fixed and bug
> fixed in Tomcat application server?
>
> Kindly advice. Your suggestion will help us in building our internal
> processes. Thanks.
>
> Kind Regards,
> Murtaza Doctor.
>