tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: HttpOnly
Date Tue, 12 Jun 2012 14:11:03 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul,

On 6/12/12 9:03 AM, Paul Singleton wrote:
> On 12/06/2012 06:57, Caldarale, Charles R wrote:
>>> From: N.s.Karthik [mailto:nskarthik.k@gmail.com] Subject:
>>> HttpOnly
>> 
>>> Tomcat 6.0.10
>> 
>>> For some specific Reason We use Tomcat 6.0.10 for Dev/Deploy
>>> in INTRANET.
>> 
>> Sorry, but there is simply no excuse for using a version of
>> Tomcat that's over five years old.
> 
> There may be a sound business rationale for using old versions of 
> software.
> 
> Tomcat 5.5.9, for example, works as well now as it did when it was 
> judged ready to be a stable release.
> 
> If there are no bugs or missing features in it which affect the 
> security or functionality of an application, then there is no
> benefit from upgrading

You are absolutely right. Feel free to read the find documentation on
the Tomcat site about all the security vulnerabilities that have been
fixed since 6.0.10 (and 5.5.9 for that matter).

> but there will be costs and risks:
> 
> * downtime and manpower for the upgrade
> 
> * recommissioning/retesting: unless *all* acceptance tests are 
> automated, this can be far more expensive than deploying the 
> upgrade

You are right about this, too. But there are certainly risks to not
upgrading as well. I'll leave those as an exercise for the reader.

> * risk of introducing new bugs in new code

Unless your webapp needs modifications to run under a new version of
Tomcat (which should never be the case when staying on a major-version
number line), you shouldn't be introducing any new bugs into any code.
Unless you mean bugs in Tomcat, which are always a possibility.

So I guess you're saying that it's better to stick with the devil you
know?

> In general, older software is better understood and less risky
> than new software, and if it meets requirements, is preferable.

In general, yes. I this case, no, for at least 2 reasons:

1. Many security, stability, and performance updates between 6.0.10
   and 6.0.35.
2. Volunteer support on this forum doesn't care to support truly
   ancient versions of software that is freely available.

If the OP wants to go purchase a support contract for Tomcat 6.0.10,
he or she can certainly do that.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/XTfcACgkQ9CaO5/Lv0PDQ+gCfd9Ke/xalZjCfDUMLu9c0Vyqq
CjsAn1/01RJAYsVL1A5prIMPFbQz8eek
=zGcQ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message