Return-Path: 
 <users-return-200346-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 40689 invoked from network); 13 Aug 2009 05:12:31 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 13 Aug 2009 05:12:31 -0000
Received: (qmail 21215 invoked by uid 500); 13 Aug 2009 05:12:33 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 21122 invoked by uid 500); 13 Aug 2009 05:12:33 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 21111 invoked by uid 99); 13 Aug 2009 05:12:33 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Aug 2009 05:12:33 +0000
X-ASF-Spam-Status: No, hits=4.0 required=10.0
	tests=HTML_MESSAGE,MIME_QP_LONG_LINE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [202.86.5.183] (HELO n13-vm0.bullet.mail.in.yahoo.com)
 (202.86.5.183)
    by apache.org (qpsmtpd/0.29) with SMTP; Thu, 13 Aug 2009 05:12:22 +0000
Received: from [202.86.4.171] by n13.bullet.mail.in.yahoo.com with NNFMP;
 13 Aug 2009 05:11:58 -0000
Received: from [203.104.18.51] by t2.bullet.in.yahoo.com with NNFMP;
 13 Aug 2009 05:11:58 -0000
Received: from [127.0.0.1] by omp112.mail.in2.yahoo.com with NNFMP;
 13 Aug 2009 05:11:48 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 352154.91255.bm@omp112.mail.in2.yahoo.com
Received: (qmail 13612 invoked by uid 60001); 13 Aug 2009 05:11:48 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.in; s=s1024;
 t=1250140308; bh=9NUX2QxiI/nibOpm+hPggGmn9qY5YHWoxsb7KLClFHo=;
 h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;
 b=0ud4RGVsWtah3ZZnI0cOvIdEACpXeKzD5Rq4pwfKZkJfj2Pw0djViTugC/ly0xlxfEpQeJvqz2chSJA8TzA9uc6aHnJx4aSig9SGhCm2zrNAO0SIfuFBx2AN8+S9Sdqwe/8IRT6BfQ7BRGF6ibojMB+fYR8wkzAH6Xjh0n/6KBY=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.co.in;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;
  b=EQf6xO7mcC6qe50ttRuBbb+1NyfnIulngkT30+uAPfmB6RMtNqNLmp9cnCqb9scqBKxQCGFcaPCumNbIETgAUUf6h35ExaaGw+gLrsxNE2j7w7y1TfJwhG3qeZ1b5BSZJLIBoxRUvhNbxw29JfrVNYm1OgsSbf7yAYhL7KQisko=;
Message-ID: <29568.13113.qm@web94915.mail.in2.yahoo.com>
X-YMail-OSG: 
 GMsb5akVM1mfiKxO3hQU49FQb6z04dPcCxmiXprB0KraNytPJDi8y1EUX7Qo0zWQ7dpGLjgRhME5tcYLTXzZhuh_pfF4HmDFAJg71S8cLI.LjDQUg.UCy11kGJsPJWr4PPhkUi92PnctaDRjOI5bLQS7sLEngIxWbVcdy2hrDwCNbCgVbGRiZT4l_C8m64q3gr2uxSjLpj039.iHdoRFtQ.Dj4tKqiSv6pm9gLkVq5qq5Vp_UfTIHlm8lRIIpfTu
Received: from [160.33.66.121] by web94915.mail.in2.yahoo.com via HTTP;
 Wed, 12 Aug 2009 22:11:47 PDT
X-Mailer: YahooMailClassic/6.1.2 YahooMailWebService/0.7.338.1
Date: Wed, 12 Aug 2009 22:11:47 -0700 (PDT)
From: sunil chandran <sunilonweb2002@yahoo.co.in>
Subject: Re: avoiding ssl vulnerabilities in tomcat
To: Tomcat Users List <users@tomcat.apache.org>
In-Reply-To: <4A82D595.9020101@christopherschultz.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1944824112-1250140307=:13113"
X-Virus-Checked: Checked by ClamAV on apache.org

--0-1944824112-1250140307=:13113
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hello all,
A slight change. After discussions , the production team in SIngapore wants=
 us to go for upgrade to 4.1.40
Comments from tomcat forum responses:
1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will
=A0=A0=A0provide the least headache because you will be staying on your
=A0=A0=A0current Tomcat version, just improving your patch level.
=A0=A0=A0Plan to upgrade to a newer release of Tomcat in the future.
Now i feel the vulnerability is fixed in this version.=A0
Now installing tomcat 4.1.40 what all changes will be required in my sevice=
..

no change in application?
maybe installation and configuration changes will be needed?

change needed in logging?
should i stop the tomcat 4 service running and then install this new tomcat=
 4.1.40?
Please help
--- On Wed, 12/8/09, Christopher Schultz <chris@christopherschultz.net> wro=
te:

From: Christopher Schultz <chris@christopherschultz.net>
Subject: Re: avoiding ssl vulnerabilities in tomcat
To: "Tomcat Users List" <users@tomcat.apache.org>
Date: Wednesday, 12 August, 2009, 8:15 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sunil,

On 8/12/2009 3:12 AM, sunil chandran wrote:
> The issue is SSL vulnerability. from the responses, i understood that
> i need to upgrade to tomcat latest version. As per the team, it is
> recommended to go for Tomcat 5 in our environment.

With all due respect to your team, I think they are making a mistake.
Either of these are better choices in my opinion:

1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will
=A0=A0=A0provide the least headache because you will be staying on your
=A0=A0=A0current Tomcat version, just improving your patch level.
=A0=A0=A0Plan to upgrade to a newer release of Tomcat in the future.

2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5.
=A0=A0=A0If you are going to upgrade major versions, there is absolutely
=A0=A0=A0no reason for you to go to Tomcat 5.5, which will eventually have
=A0=A0=A0support dropped just like Tomcat 4.1 did.

> my quesiton is: Is this vulernability solved in tomcat 5 version?

Sheesh. Did you read the CVE description?
http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2007-1858

It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is
inaccurate: the fix for this is documented to be in 5.5.17). Make sure
you are using a version later than that if you must use 5.5.

Now, before you ask about what version of Tomcat 6 you need in order to
avoid this vulnerability, let me help you:

1. Go to Tomcat's web site (http://tomcat.apache.org/)
2. Follow the link that says "Security"
3. Pick your major Tomcat version
4. Read the fixes. Each one mentions the CVE identifier, a description
=A0=A0=A0of the problem, the versions of Tomcat affected, and the version i=
n
=A0=A0=A0which a fix appears.

All this information is easy to find on the Tomcat web site. Please read
the documentation before continuing to ask questions such as these.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s
ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX
=3Dz6Bp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

=0A=0A=0A      See the Web&#39;s breaking stories, chosen by people like yo=
u. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/
--0-1944824112-1250140307=:13113--