Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org Received: (qmail 96149 invoked from network); 9 Sep 2004 10:54:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 9 Sep 2004 10:54:14 -0000 Received: (qmail 78181 invoked by uid 500); 9 Sep 2004 10:53:38 -0000 Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org Received: (qmail 78159 invoked by uid 500); 9 Sep 2004 10:53:38 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 78146 invoked by uid 99); 9 Sep 2004 10:53:38 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [204.74.20.252] (HELO sid.armstrong.com) (204.74.20.252) by apache.org (qpsmtpd/0.28) with ESMTP; Thu, 09 Sep 2004 03:53:36 -0700 Received: from joedog.org ([10.38.20.246]) by sid.armstrong.com (8.12.8p1/8.12.8) with ESMTP id i89Au7Tj010771 for ; Thu, 9 Sep 2004 05:56:07 -0500 Message-ID: <4140362D.1090407@joedog.org> Date: Thu, 09 Sep 2004 06:53:33 -0400 From: Tim Funk Organization: Human being User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en, es-mx, de, sv MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Secuity and patching tomcat References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N The last serious security issue was the Invoker servlet being enabled by default. A new release was made and generally announced. No hot patches were made, but in the case - it was made known how to possibly mitigate the issue if you could not upgrade. From a deployment point of view - it depends on how you do things. Personally - I have a seperate filesystem with all of my webapps independent of tomcat. Then I use manually place my Context declarations as needed. I don't use the manager, or admin for deployment. If I need to upgrade, I either create a new tomcat instance, or stop the instance and replace the appropriate files. This depends on how much downtime you allow. -Tim Drinkwater, GJ (Glen) wrote: > Hi > > We are running tomcat for our production server and i was wondering how > other people cope with applying security patches (where do you find alerts > about secuirty for tomcat?) as tomcat is distributed as either source or > dist and not a rpms. > > Whats the best practise for the installation of tomcats for is process. Is > it best to provide symbolic links to the war files and the applications and > not dump them into the webapps directory as this will move when you upgrade > the server? > --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org