It "should" work indeed. I haven't tested out downgrading the tomcat related packages yet. It might not be so straightforward. Also of course it is a bit of a concern as all of the tomcat upgrades on a "normally" configured ubuntu system would be security upgrades. So we would be asking users to run with known vulnerabilities which I am a little uneasy about.
What we are saying effectively is that dhis2 v2.23 and earlier has a flaw which requires it to be run on a tomcat with known vulnerabilities. Effectively this translates to a vulnerability (in fact a bundle) in 2.23 for which the real remedy is to upgrade to 2.24. Downgrading tomcat is a distant second best workaround. I still have to scratch my head a bit to figure out and test a neat/quick way to achieve this with dhis2-tools where it might be difficult to do a quick upgrade to 2.24. On 1 February 2017 at 13:05, Jason Pickering <jason.p.picker...@gmail.com> wrote: > Lars had advised me this would not be easy, as this fix would need to be > made in several apps. > > I did not have time to figure out exactly which Tomcat package would work, > but your approach sounds reasonable to me. We took a temporary route and > used one we knew would work until the upgrade to at least 2.24 is feasible. > > On Wed, Feb 1, 2017, 18:38 Bob Jolliffe <bobjolli...@gmail.com> wrote: > >> Thanks Jason. To make matters more complicated it looks like ubuntu >> maintains its own patch release numbering of tomcat. So for example it >> looks like the problem first raised in Zim after >> upgrading 7.0.52-1ubuntu0.7 to 7.0.52-1ubuntu0.8. >> >> They can try to rewind that upgrade to see if good behaviour is restored. >> >> Then I believe you can hold back further upgrades to certain packages >> with apt-mark hold <package-name>. We'll see. >> >> How painful is it to patch dhis2 older versions? I was looking (without >> success) for relevant github commit. >> >> >> >> On 1 February 2017 at 11:54, Jason Pickering <jason.p.picker...@gmail.com >> > wrote: >> >> Hi Bob, >> >> https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.35/ >> >> is known to work in this situation for me. Lars suggested this version >> and it worked for us. >> >> We had the exact same thing happen on another instance, which basically >> "broke" dhis2-tools, so for the time being, we are using this specific >> version of Tomcat as a local install to work around the problem until that >> instance can be upgraded. >> >> Specifically, it was this commit (thanks to BAO for finding it) >> >> https://github.com/apache/tomcat70/commit/a3d7be9e35505f85fc01f5f36451c7 >> 10f9c9bbcc >> >> which introduced this, which seems to be Tomcat 7.0.73, so something >> earlier than that should work as well. I am not sure which commit this was >> in Tomcat 8. >> >> Hope that helps. >> >> Regards, >> Jason >> >> >> On Wed, Feb 1, 2017 at 6:06 PM, Bob Jolliffe <bobjolli...@gmail.com> >> wrote: >> >> Hi Lars and all >> >> I can see this is going to cause quite a bit of chaos with large country >> installations where they are not able to be too agile with upgrading. >> >> Do you have more precise info on the exact tomcat version numbers? We >> just saw in Zim (DHIS 2.22) that the package manager automatically upgraded >> to 7.0.52 and they started seeing these problems. So maybe it is that >> version? >> >> They will have to try and come up with a process of downgrading tomcat >> and holding that version via the package manager as a short term measure >> while they plan any dhis2 upgrade process. >> >> So getting the exact tomcat versions where the URL checking was >> introduced will be helpful if you have them. >> >> On 7 January 2017 at 12:56, Lars Helge Øverland <l...@dhis2.org> wrote: >> >> Hi all, >> >> the latest builds of tomcat (the servlet container mostly used with DHIS >> 2) has tightened up validation of characters in URLs, so that only >> characters defined as safe per RFC 1738 >> <https://www.ietf.org/rfc/rfc1738.txt> are allowed. Our apps had some >> cases of un-escaped use of the pipe character which was causing tomcat to >> occasionally return 400 bad request. >> >> We have patched this now in 2.24, 2.25 and master. >> >> Bottom line: If you plan to upgrade to very latest Tomcat 7, 8 or 8.5 >> builds on your server, make sure to upgrade to latest 2.24 or 2.25 of DHIS >> 2. >> >> >> regards, >> >> Lars >> >> >> >> >> >> >> -- >> Lars Helge Øverland >> Lead developer, DHIS 2 >> University of Oslo >> Skype: larshelgeoverland >> l...@dhis2.org >> http://www.dhis2.org <https://www.dhis2.org/> >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~dhis2-users >> Post to : dhis2-us...@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~dhis2-users >> More help : https://help.launchpad.net/ListHelp >> >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~dhis2-devs >> Post to : dhis2-devs@lists.launchpad.net >> Unsubscribe : https://launchpad.net/~dhis2-devs >> More help : https://help.launchpad.net/ListHelp >> >> >> >> >> -- >> Jason P. Pickering >> email: jason.p.picker...@gmail.com >> tel:+46764147049 <+46%2076%20414%2070%2049> >> >> >>
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
