install of Tomcat 6.0.33

["Palmer, Anthony" <an...@lmco.com>]

Hello,
I am looking for documentation on doing a patch install. I am really new to doing this type of work so I could really use some help on how to do this. I am currently running JIRA 4.2.2 which apache was bundled with and was told that this update was needed. Since there is no .exe file run in the apache-tomcat-6.0.33 file that I downloaded I was hoping for some help on how to handle this update with some written step by step instructions. This patch will be going on a window 2003 sever. Thanks for you help

RE: EXTERNAL: Re: install of Tomcat 6.0.33

["Palmer, Anthony" <an...@lmco.com>]

The version of Apache that is shown is JIRA is Apache Tomcat/6.0.20, I was told that this update was needed from foundstone after a recent scan was done. This is a 32-bit VM. Here are some the vulnarabilites that we found, but most of the problems found tell us the same thing of how to fix them which is to go to the next upgrade/update of Apache.


Apache Tomcat WAR Deployment Directory Traversal Vulnerability

The vendor has made an updated version available for remediation: http://svn.apache.org/viewvc?view=revision&revision=902650 For Apache Tomcat 5.5.x, upgrade to 5.5.29 or later. For Apache Tomcat 6.0.x, upgrade to 6.0.24 or later.


Apache Tomcat Failed Deployment Information Disclosure Vulnerability
The vendor has made an updated version available for remediation. For Apache Tomcat 5.5.x, upgrade to 5.5.29 or later. For Apache Tomcat 6.0.x, upgrade to 6.0.24 or later.

Apache Tomcat WAR File Names Directory Traversal Vulnerability
The vendor has made an updated version available for remediation. For Apache Tomcat 5.5.x, upgrade to 5.5.29 or later. For Apache Tomcat 6.0.x, upgrade to 6.0.24 or later.

Apache Tomcat NIO Connector Denial Of Service
The vendor has released an update to address the issue: http://tomcat.apache.org/security-7.html


-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: Monday, October 10, 2011 10:35 AM
To: Tomcat Users List
Subject: EXTERNAL: Re: install of Tomcat 6.0.33

On 10/10/2011 15:18, Palmer, Anthony wrote:
> Hello, I am looking for documentation on doing a patch install.

There is no documentation since the ASF does not release patches. Each
release of Apache Tomcat is a full release. There is no mechanism to
patch an older release to a newer one.

There are some really ugly hacks that might work but I'd really rather
not go there.

What version of Tomcat are you upgrading from?

> I am really new to doing this type of work so I could really use some
> help on how to do this. I am currently running JIRA 4.2.2 which
> apache was bundled with and was told that this update was needed.

Told by whom?
What problem are you trying to fix?

If you are running Jira 4.2.2 then you need to upgrade Jira as well.

> Since there is no .exe file run in the apache-tomcat-6.0.33 file that
> I downloaded I was hoping for some help on how to handle this update
> with some written step by step instructions. This patch will be going
> on a window 2003 sever.

32-bit or 64-bit?

Atlassian will disagree with this view but my recommendation would be to
install the latest Tomact 6.0.x release along with the latest Jira
release using the WAR distribution rather than the bundled distribution.
Further, if you separate CATALINA_HOME and CATALINA_BASE future upgrades
of Tomcat are trivial.

The ASF uses this approach for it's own Jira installation and it works
very well.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: install of Tomcat 6.0.33

[Mark Thomas <ma...@apache.org>]

On 10/10/2011 15:18, Palmer, Anthony wrote:
> Hello, I am looking for documentation on doing a patch install.

There is no documentation since the ASF does not release patches. Each
release of Apache Tomcat is a full release. There is no mechanism to
patch an older release to a newer one.

There are some really ugly hacks that might work but I'd really rather
not go there.

What version of Tomcat are you upgrading from?

> I am really new to doing this type of work so I could really use some
> help on how to do this. I am currently running JIRA 4.2.2 which
> apache was bundled with and was told that this update was needed.

Told by whom?
What problem are you trying to fix?

If you are running Jira 4.2.2 then you need to upgrade Jira as well.

> Since there is no .exe file run in the apache-tomcat-6.0.33 file that
> I downloaded I was hoping for some help on how to handle this update
> with some written step by step instructions. This patch will be going
> on a window 2003 sever.

32-bit or 64-bit?

Atlassian will disagree with this view but my recommendation would be to
install the latest Tomact 6.0.x release along with the latest Jira
release using the WAR distribution rather than the bundled distribution.
Further, if you separate CATALINA_HOME and CATALINA_BASE future upgrades
of Tomcat are trivial.

The ASF uses this approach for it's own Jira installation and it works
very well.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org