tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Secuity and patching tomcat
Date Thu, 09 Sep 2004 10:53:33 GMT
The last serious security issue was the Invoker servlet being enabled by 
default. A new release was made and generally announced. No hot patches were 
made, but in the case  - it was made known how to possibly mitigate the issue 
if you could not upgrade.

 From a deployment point of view - it depends on how you do things. 
Personally - I have a seperate filesystem with all of my webapps independent 
of tomcat. Then I use manually place my Context declarations as needed. I 
don't use the manager, or admin for deployment.

If I need to upgrade, I either create a new tomcat instance, or stop the 
instance and replace the appropriate files. This depends on how much downtime 
you allow.


Drinkwater, GJ (Glen) wrote:
> Hi
> We are running tomcat for our production server and i was wondering how
> other people cope with applying security patches (where do you find alerts
> about secuirty for tomcat?) as tomcat is distributed as either source or
> dist and not a rpms.
> Whats the best practise for the installation of tomcats for is process.  Is
> it best to provide symbolic links to the war files and the applications and
> not dump them into the webapps directory as this will move when you upgrade
> the server?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message