Return-Path: 
 <users-return-200347-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 43383 invoked from network); 13 Aug 2009 05:24:40 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 13 Aug 2009 05:24:40 -0000
Received: (qmail 27905 invoked by uid 500); 13 Aug 2009 05:24:43 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 27801 invoked by uid 500); 13 Aug 2009 05:24:42 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 27790 invoked by uid 99); 13 Aug 2009 05:24:42 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Aug 2009 05:24:42 +0000
X-ASF-Spam-Status: No, hits=2.2 required=10.0
	tests=HTML_MESSAGE,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [202.86.5.189] (HELO n4-vm0.bullet.mail.in.yahoo.com)
 (202.86.5.189)
    by apache.org (qpsmtpd/0.29) with SMTP; Thu, 13 Aug 2009 05:24:31 +0000
Received: from [202.86.4.171] by n4.bullet.mail.in.yahoo.com with NNFMP;
 13 Aug 2009 05:24:07 -0000
Received: from [203.104.18.55] by t2.bullet.in.yahoo.com with NNFMP;
 13 Aug 2009 05:24:06 -0000
Received: from [127.0.0.1] by omp107.mail.in2.yahoo.com with NNFMP;
 13 Aug 2009 05:24:06 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 790845.66965.bm@omp107.mail.in2.yahoo.com
Received: (qmail 6825 invoked by uid 60001); 13 Aug 2009 05:17:26 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.in; s=s1024;
 t=1250140646; bh=2bU0oUJwDLjAD9QNLN8fLCWSOJnkZQ8mUtjikdKFIcI=;
 h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;
 b=ylgEPkzsJ9Q80NYnmUvsZ9wOIV6EeBeUdZYn/e7Jkl0B5SSUOvlvlHfAzHhKK7XulfmlU0GHFF6ik5qcFmZD/xJklnYZhoDB/20ofh0vXoIlpLGtIwXCNRLsN55QPIUf26kSjeH6aByNMlEmmHn+YAliO66UdS2UvvndROEbFPU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.co.in;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type;
  b=q1eKfW4SmLQWp0ySHa8unB4JWiYn+SSFCEj6eGHpzaNRNOm76M3sciKoosQuwzAl2QufQQhL54tjOVBNTYdrcnwMxSMYE19F8ynsqfoI6wBS82CQ8rcCPfjVCxRXNhX5uiGLDUzbDJAD+2xwo5IIHt7sLF6MEp383M6bvYRh5mc=;
Message-ID: <641831.6615.qm@web94912.mail.in2.yahoo.com>
X-YMail-OSG: 
 rT7NTTMVM1nT5LJxWtyn2nrRDz9D7qAOAkVySQ8c91KykKMQwDcjUZLSn3I4eGGgkyi3uU6qSF3I6_L.t5dOse_Mqxq6k9fD2HPin82TVgN6RoqEBo1kjWIuX9BcFlWwGh4GZyhrxMBP9eNrwdYJioTZY2Gn5kAUZfSlc3Fgky.BoXiClMFkCz8vOhry0SOcNQutzQd1mFl_qoKHU4MaLAZlJM5koVPjIxTh5sNJ74DX1C5RUiPZKkTMv05JJGiI
Received: from [160.33.66.121] by web94912.mail.in2.yahoo.com via HTTP;
 Wed, 12 Aug 2009 22:17:26 PDT
X-Mailer: YahooMailClassic/6.1.2 YahooMailWebService/0.7.338.1
Date: Wed, 12 Aug 2009 22:17:26 -0700 (PDT)
From: sunil chandran <sunilonweb2002@yahoo.co.in>
Subject: Re: avoiding ssl vulnerabilities in tomcat
To: Tomcat Users List <users@tomcat.apache.org>
In-Reply-To: <4A82D595.9020101@christopherschultz.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1270657235-1250140646=:6615"
X-Virus-Checked: Checked by ClamAV on apache.org

--0-1270657235-1250140646=:6615
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hello all,
As per Christopher response.
1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will
=A0=A0=A0provide the least headache because you will be staying on your
=A0=A0=A0current Tomcat version, just improving your patch level.
=A0=A0=A0Plan to upgrade to a newer release of Tomcat in the future.
Can you please tell me what you mean by improving patch level.
How should i install tomcat 4.1.40 on tomcat 4.1.24? is it sperate installa=
tion or patch?=A0Please help me


--- On Wed, 12/8/09, Christopher Schultz <chris@christopherschultz.net> wro=
te:

From: Christopher Schultz <chris@christopherschultz.net>
Subject: Re: avoiding ssl vulnerabilities in tomcat
To: "Tomcat Users List" <users@tomcat.apache.org>
Date: Wednesday, 12 August, 2009, 8:15 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sunil,

On 8/12/2009 3:12 AM, sunil chandran wrote:
> The issue is SSL vulnerability. from the responses, i understood that
> i need to upgrade to tomcat latest version. As per the team, it is
> recommended to go for Tomcat 5 in our environment.

With all due respect to your team, I think they are making a mistake.
Either of these are better choices in my opinion:

1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will
=A0=A0=A0provide the least headache because you will be staying on your
=A0=A0=A0current Tomcat version, just improving your patch level.
=A0=A0=A0Plan to upgrade to a newer release of Tomcat in the future.

2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5.
=A0=A0=A0If you are going to upgrade major versions, there is absolutely
=A0=A0=A0no reason for you to go to Tomcat 5.5, which will eventually have
=A0=A0=A0support dropped just like Tomcat 4.1 did.

> my quesiton is: Is this vulernability solved in tomcat 5 version?

Sheesh. Did you read the CVE description?
http://web.nvd.nist.gov/view/vuln/detail?vulnId=3DCVE-2007-1858

It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is
inaccurate: the fix for this is documented to be in 5.5.17). Make sure
you are using a version later than that if you must use 5.5.

Now, before you ask about what version of Tomcat 6 you need in order to
avoid this vulnerability, let me help you:

1. Go to Tomcat's web site (http://tomcat.apache.org/)
2. Follow the link that says "Security"
3. Pick your major Tomcat version
4. Read the fixes. Each one mentions the CVE identifier, a description
=A0=A0=A0of the problem, the versions of Tomcat affected, and the version i=
n
=A0=A0=A0which a fix appears.

All this information is easy to find on the Tomcat web site. Please read
the documentation before continuing to ask questions such as these.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s
ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX
=3Dz6Bp
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

=0A=0A=0A      Looking for local information? Find it on Yahoo! Local http:=
//in.local.yahoo.com/
--0-1270657235-1250140646=:6615--