RE: Tomcat 10

[Sean Hulbert <sh...@securitycentric.net.INVALID>]

Hello Nick

Yes that should work just fine,  however is there a upgrade document on what needs to go where,

So far I see Tomcat in these locations

/var/lib/tomcat9
/usr/share/tomcat9
/etc/tomcat9

I have downloaded apache-tomcat-9.0.71.tar.gz binary; can I simply stop tomcat and replace the files with the binary or is there a procedure?
As usual nothing is easy as apt-get --upgrade  

Any information on upgrading tomcat for guacamole will be appreciated. 

Thank You
Sean Hulbert
 

-----Original Message-----
From: Nick Couchman [mailto:vnick@apache.org] 
Sent: Tuesday, January 31, 2023 1:57 PM
To: user@guacamole.apache.org
Subject: Re: Tomcat 10

On Tue, Jan 31, 2023 at 4:34 PM Sean Hulbert <sh...@securitycentric.net.invalid> wrote:
>
> Hello,
>
>
>
> Are there any special requirements for Guacamole 1.4.0 to update Tomcat 9.0.31 to Tomcat 10 or reasons not to do this?
>

Yes, Tomcat 10 makes some servlet API changes that require code changes to Guacamole. It's documented, here:

https://issues.apache.org/jira/browse/GUACAMOLE-1325

> To resolve the CVE below, and are there any procedural steps documented?

WIthout looking at each individual CVE you mentioned, I would say that most, if not all, are probably also fixed in a version of Tomcat 9.0, which will still work with Guacamole. For example, CVE-2021-43980 only impacts 9.0.47 to 9.0.60, and is fixed in current 9.0 releases. I would venture a guess that many/most/all of the rest are the same. So, updating to the latest version of Tomcat 9.x should be a perfectly acceptable procedural step.

-Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Tomcat 10

[Michael Jumper <mj...@apache.org>]

On Tue, Jan 31, 2023 at 4:26 PM Sean Hulbert
<sh...@securitycentric.net.invalid> wrote:

> Hello Nick
>
> Yes that should work just fine,  however is there a upgrade document on
> what needs to go where,
>

We do not have a document covering how to upgrade Tomcat. The vendor that
provided your copy of Tomcat should be able to help with this.

So far I see Tomcat in these locations
>
> /var/lib/tomcat9
> /usr/share/tomcat9
> /etc/tomcat9
>
> I have downloaded apache-tomcat-9.0.71.tar.gz binary; can I simply stop
> tomcat and replace the files with the binary or is there a procedure?
> As usual nothing is easy as apt-get --upgrade
>
> Any information on upgrading tomcat for guacamole will be appreciated.
>

This really isn't specific to Guacamole. You appear to have a Tomcat
install from Debian or a Debian-based distro, and you will have to maintain
that install according to however Debian or that distro specify. If you
want to remove that installation and replace it with your own manual
install of Tomcat, you can do that, too. All that is completely independent
of Guacamole.

If the vendor that provides your Tomcat packages has updated packages, you
should be able to just use those. I can't speak for your vendor, but the
ability to upgrade without breaking web applications that are already
deployed is part of the point of having such packages. If you are entirely
replacing your Tomcat install with your own manually-installed copy of
Tomcat, then you will need to follow the usual install instructions to
deploy Guacamole beneath that version of Tomcat just as you did for your
old version. It's unlikely that your manually-installed copy of Tomcat will
be looking at the same locations as your vendor's Tomcat.

- Mike