Yes sir, I have built them with and without installer apache the separated application. However, have you took an installation with ssl and all tweaked, then install a newer apache and take the files needed and plop them into that onstage or apache. If so do you have an approach or steps to remind yourself -- that you would share. I think it can be done fairly straight forwardly but there might be a few issues along the way.
Sent from my iPhone On Feb 19, 2011, at 1:57 PM, Axton <[email protected]> wrote: > With all infrastructure components (Apache, Tomcat, etc.) that come bundled > with software stacks I suggest maintaining the infrastructure separate from > the actual applications. I look at the bundled components as a helper to get > things easily deployed (for the purposes of a reference implementation, > demos, etc.) but not as a production ready application stack. There are some > vendors that only support their software on the bundled Tomcat/JBoss, etc., > in my opinion, this is a horrible practice because they rarely (if ever) keep > up with security related issues with the bundled infrastructure components. > > If you look at the midtier patches (historically) have you ever seen one with > patch files for the bundled Tomcat? If you look at the release cycle of > Tomcat, how many times a year are security fixes released > (search the pages for CVE)? > http://tomcat.apache.org/tomcat-7.0-doc/changelog.html > http://tomcat.apache.org/tomcat-6.0-doc/changelog.html > http://tomcat.apache.org/tomcat-5.5-doc/changelog.html > > Or for the short list: > http://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-6.html > http://tomcat.apache.org/security-5.html > > This is just my opinion based on my observations of common practices of > software vendors en masse. I'm sure there are software vendors that maintain > the full bundled application stack, but from my observations this is the > exception rather than the norm. > > Just out of curiosity, can people post the version (major, minor) of Tomcat > bundled with the mid-tier, esp. those that used the patch installer to build > their mid-tier servers? > > Axton Grams > > The opinions, statements, and/or suggested courses of action expressed in > this E-mail do not necessarily reflect those of BMC Software, Inc. My > voluntary participation in this forum is not intended to convey a role as a > spokesperson, liaison or public relations representative for BMC Software, > Inc. > > On Fri, Feb 18, 2011 at 11:45 AM, patrick zandi <[email protected]> wrote: > ** but I am also reading that the only fix action is going to the tomcat 7.08 > or 6.0.32 ... only... > Anyone worked on this one.. > > On Fri, Feb 18, 2011 at 12:42 PM, patrick zandi <[email protected]> wrote: > Wait I see it is pointing to /examples Didn't BMC delete that? I think they > did.. so I guess it would not matter. > > > > On Fri, Feb 18, 2011 at 12:39 PM, patrick zandi <[email protected]> wrote: > http://nvd.nist.gov/nvd.cfm?cvename=CAN-2002-0682 > > So this attach affects all tomcats 5, 6, 7 => does anyone know if it is > affecting their midtiers? > Also is BMC recommending this? or are they coming out with their own patch? > > <insert Dave's answer here> > > Just wondering.. > -- > Patrick Zandi > > > > -- > Patrick Zandi > > > > -- > Patrick Zandi > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
