* 7.5 GA or a patch level? Tomcat 5.5.28. Release Date*: 2009-08-18
On Wed, Feb 23, 2011 at 8:55 AM, LJ LongWing <[email protected]> wrote: > ** > > Axton, > > The Tomcat that comes with 7.5 is 5.5.28 > > > > *From:* Action Request System discussion list(ARSList) [mailto: > [email protected]] *On Behalf Of *Axton > *Sent:* Saturday, February 19, 2011 11:58 AM > *To:* [email protected] > *Subject:* Re: tomcat DOS attack question > > > > ** With all infrastructure components (Apache, Tomcat, etc.) that come > bundled with software stacks I suggest maintaining the > infrastructure separate from the actual applications. I look at the bundled > components as a helper to get things easily deployed (for the purposes of a > reference implementation, demos, etc.) but not as a production ready > application stack. There are some vendors that only support their software > on the bundled Tomcat/JBoss, etc., in my opinion, this is a horrible > practice because they rarely (if ever) keep up with security related issues > with the bundled infrastructure components. > > > > If you look at the midtier patches (historically) have you ever seen one > with patch files for the bundled Tomcat? If you look at the release cycle > of Tomcat, how many times a year are security fixes released > (search the pages for CVE)? > > http://tomcat.apache.org/tomcat-7.0-doc/changelog.html > > http://tomcat.apache.org/tomcat-6.0-doc/changelog.html > > http://tomcat.apache.org/tomcat-5.5-doc/changelog.html > > > > Or for the short list: > > http://tomcat.apache.org/security-7.html > > http://tomcat.apache.org/security-6.html > > http://tomcat.apache.org/security-5.html > > > > This is just my opinion based on my observations of common practices of > software vendors en masse. I'm sure there are software vendors that > maintain the full bundled application stack, but from my observations this > is the exception rather than the norm. > > > > Just out of curiosity, can people post the version (major, minor) of Tomcat > bundled with the mid-tier, esp. those that used the patch installer to build > their mid-tier servers? > > > > Axton Grams > > > > The opinions, statements, and/or suggested courses of action expressed in > this E-mail do not necessarily reflect those of BMC Software, Inc. My > voluntary participation in this forum is not intended to convey a role as a > spokesperson, liaison or public relations representative for BMC Software, > Inc. > > > > On Fri, Feb 18, 2011 at 11:45 AM, patrick zandi <[email protected]> > wrote: > > ** but I am also reading that the only fix action is going to the tomcat > 7.08 or 6.0.32 ... only... > Anyone worked on this one.. > > > > On Fri, Feb 18, 2011 at 12:42 PM, patrick zandi <[email protected]> > wrote: > > Wait I see it is pointing to /examples Didn't BMC delete that? I think > they did.. so I guess it would not matter. > > > > On Fri, Feb 18, 2011 at 12:39 PM, patrick zandi <[email protected]> > wrote: > > http://nvd.nist.gov/nvd.cfm?cvename=CAN-2002-0682 > > So this attach affects all tomcats 5, 6, 7 => does anyone know if it is > affecting their midtiers? > Also is BMC recommending this? or are they coming out with their own patch? > > <insert Dave's answer here> > > Just wondering.. > -- > Patrick Zandi > > > > -- > Patrick Zandi > > > > > -- > Patrick Zandi > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ > > > > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
