tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: avoiding ssl vulnerabilities in tomcat
Date Thu, 13 Aug 2009 08:09:18 GMT
On 13/08/2009 06:17, sunil chandran wrote:
> Hello all,
> As per Christopher response.
> 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will
>     provide the least headache because you will be staying on your
>     current Tomcat version, just improving your patch level.
>     Plan to upgrade to a newer release of Tomcat in the future.
> Can you please tell me what you mean by improving patch level.
> How should i install tomcat 4.1.40 on tomcat 4.1.24? is it sperate installation or patch?
Please help me

1. Install a new Tomcat version 4.1.40.
2. Configure as needed.
3. Consider investing in some Tomcat training/books/tutorials.

p


> --- On Wed, 12/8/09, Christopher Schultz<chris@christopherschultz.net>  wrote:
>
> From: Christopher Schultz<chris@christopherschultz.net>
> Subject: Re: avoiding ssl vulnerabilities in tomcat
> To: "Tomcat Users List"<users@tomcat.apache.org>
> Date: Wednesday, 12 August, 2009, 8:15 PM
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sunil,
>
> On 8/12/2009 3:12 AM, sunil chandran wrote:
>> The issue is SSL vulnerability. from the responses, i understood that
>> i need to upgrade to tomcat latest version. As per the team, it is
>> recommended to go for Tomcat 5 in our environment.
>
> With all due respect to your team, I think they are making a mistake.
> Either of these are better choices in my opinion:
>
> 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will
>     provide the least headache because you will be staying on your
>     current Tomcat version, just improving your patch level.
>     Plan to upgrade to a newer release of Tomcat in the future.
>
> 2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5.
>     If you are going to upgrade major versions, there is absolutely
>     no reason for you to go to Tomcat 5.5, which will eventually have
>     support dropped just like Tomcat 4.1 did.
>
>> my quesiton is: Is this vulernability solved in tomcat 5 version?
>
> Sheesh. Did you read the CVE description?
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1858
>
> It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is
> inaccurate: the fix for this is documented to be in 5.5.17). Make sure
> you are using a version later than that if you must use 5.5.
>
> Now, before you ask about what version of Tomcat 6 you need in order to
> avoid this vulnerability, let me help you:
>
> 1. Go to Tomcat's web site (http://tomcat.apache.org/)
> 2. Follow the link that says "Security"
> 3. Pick your major Tomcat version
> 4. Read the fixes. Each one mentions the CVE identifier, a description
>     of the problem, the versions of Tomcat affected, and the version in
>     which a fix appears.
>
> All this information is easy to find on the Tomcat web site. Please read
> the documentation before continuing to ask questions such as these.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s
> ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX
> =z6Bp
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>        Looking for local information? Find it on Yahoo! Local http://in.local.yahoo.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message