tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@gopivotal.com>
Subject Re: Fix CVE tomcat 6.0.18 with out upgrade
Date Wed, 08 May 2013 17:27:30 GMT
On May 8, 2013, at 1:17 PM, suresh babu yella wrote:

> Hi Dan,
> 
> We might consider for upgrading the tomcat later, due to to supportability
> concerns from Autonomy we cannot upgrade it to any of the higher version.

I don't know that vendor, but it sounds like you might need to have a conversation with them
and see what is taking them so incredibly long (6.0.18 was released in Jul 2008) to upgrade.

> 
> but right now we are looking to apply the fix for all CVE's we identified,
> it will be great if you can let me know the procedure.

Each of the security issues that have been fixed are documented at the link you included.

 http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities

You might be able to go through and apply mitigations for each of them, but that's going to
be a long and tedious process.

This is why you should really consider upgrading.  That will bring everything up-to-date in
one step.

Dan

> 
> Thanks
> Suresh
> 
> 
> On Wed, May 8, 2013 at 10:11 AM, Daniel Mikusa <dmikusa@gopivotal.com>wrote:
> 
>> On May 8, 2013, at 12:11 PM, suresh babu yella wrote:
>> 
>>> We are using tomcat 6.0.18  and we found below number of Common
>>> Vulnerabilities and Exposures (CVE).
>> 
>> Not surprising given the version that you are using.  Latest version is
>> 6.0.37.
>> 
>>> 
>>> High Vulns: 98
>>> 
>>> Medium Vulns: 50
>>> 
>>> Low Vulns: 6
>>> We cannot upgrade/patch any of those components due to supportability
>>> concerns from Autonomy.
>>> 
>>> How can I apply a fix for all the CVE, I see the build instructions in
>>> below link but I was looking for applying the fixes without upgrade.
>> 
>> You should really consider upgrading.  Why are you so opposed to upgrading?
>> 
>> Dan
>> 
>>> 
>>> Security -
>>> 
>> http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities
>>> Build Instructions -
>> http://tomcat.apache.org/tomcat-6.0-doc/building.html
>>> 
>>> 
>>> Thanks
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>> 
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message