Re: Incorporating changes and compiling Tomcat
On 27/09/2011 21:58, gilbert.be...@bcbssc.com wrote: Can any one please direct me to instructions on how to incorporate fixes and then recompile. Target OS is Windows Server 2003. Thanks! Note: Tomcat doesn't issue patches, a new version is released. Unless you are planning to write patches yourself, you should just download the latest version. p signature.asc Description: OpenPGP digital signature
RE: Incorporating changes and compiling Tomcat
So, what are security minded system administrators to do about mitigating CVE-2011-3190 against V6.0.33? From the http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34_( not_yet_released) page Mitigation options: Upgrade to Tomcat 6.0.34. [Ed. What is the expected release date?] Apply the appropriate patch. [Ed. Patch provides 2 java source files; requiring a re-compilation] Configure both Tomcat and the reverse proxy to use a shared secret. ... Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector implementation. ... V/R, Bruce -Original Message- From: users-return-228011-BRUCE.R.WILDE=saic@tomcat.apache.org [mailto:users-return-228011-BRUCE.R.WILDE=saic@tomcat.apache.org] On Behalf Of Pid Sent: Wednesday, September 28, 2011 1:34 PM To: Tomcat Users List Subject: Re: Incorporating changes and compiling Tomcat On 27/09/2011 21:58, gilbert.be...@bcbssc.com wrote: Can any one please direct me to instructions on how to incorporate fixes and then recompile. Target OS is Windows Server 2003. Thanks! Note: Tomcat doesn't issue patches, a new version is released. Unless you are planning to write patches yourself, you should just download the latest version. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Incorporating changes and compiling Tomcat
2011/9/28 Wilde, Bruce R. bruce.r.wi...@saic.com: So, what are security minded system administrators to do about mitigating CVE-2011-3190 against V6.0.33? From the http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34_( not_yet_released) page Mitigation options: Upgrade to Tomcat 6.0.34. [Ed. What is the expected release date?] or to 7.0.21 Apply the appropriate patch. [Ed. Patch provides 2 java source files; requiring a re-compilation] man patch svn help patch (since Subversion 1.7) Or apply it manually using your text editor of choice. Configure both Tomcat and the reverse proxy to use a shared secret. Read configuration reference. Any Tomcat administrator should have done so once. ... Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector implementation. The above one is the easiest. I would recommend it. BTW, this is the connector implementation that is used by default when you do not have Tomcat-Native/APR installed. That is what most users are already using by default. Regarding original question how to build it: There are - BUILDING.txt - webapps/docs/building.html in every release. What else is needed? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Incorporating changes and compiling Tomcat
Unfortunately, the government won't let we wait. Maybe patches is the wrong word. For instance the updated code for AjpAprProcessor.java and AjpProcessor.java needed to fix CVE-2011-3190 is available and has been incorporated into 6.0.34, they just haven't released it yet. So what I trying to do is to manually incorporate the changes and rebuild Tomcat, something I've never done before. Not being that well versed in Java and ant, I've been doing a lot of head scratching. Gilbert Berry Blue Cross/Blue Shield of South Carolina Tricare Post Adjudication Reporting (803) 763-1873 x 31873 (803) 466-7282 cell gilbert.be...@mytricare.com THIS EMAIL IS CONFIDENTIAL http://www.bcbssc.com/confidentiality.htm -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Wednesday, September 28, 2011 1:34 PM To: Tomcat Users List Subject: Re: Incorporating changes and compiling Tomcat On 27/09/2011 21:58, gilbert.be...@bcbssc.com wrote: Can any one please direct me to instructions on how to incorporate fixes and then recompile. Target OS is Windows Server 2003. Thanks! Note: Tomcat doesn't issue patches, a new version is released. Unless you are planning to write patches yourself, you should just download the latest version. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Incorporating changes and compiling Tomcat
Thank you. I guess all I need now is caffeine. Gilbert Berry Blue Cross/Blue Shield of South Carolina Tricare Post Adjudication Reporting (803) 763-1873 x 31873 (803) 466-7282 cell gilbert.be...@mytricare.com THIS EMAIL IS CONFIDENTIAL http://www.bcbssc.com/confidentiality.htm -Original Message- From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] Sent: Wednesday, September 28, 2011 1:56 PM To: Tomcat Users List Subject: Re: Incorporating changes and compiling Tomcat 2011/9/28 Wilde, Bruce R. bruce.r.wi...@saic.com: So, what are security minded system administrators to do about mitigating CVE-2011-3190 against V6.0.33? From the http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34_( not_yet_released) page Mitigation options: Upgrade to Tomcat 6.0.34. [Ed. What is the expected release date?] or to 7.0.21 Apply the appropriate patch. [Ed. Patch provides 2 java source files; requiring a re-compilation] man patch svn help patch (since Subversion 1.7) Or apply it manually using your text editor of choice. Configure both Tomcat and the reverse proxy to use a shared secret. Read configuration reference. Any Tomcat administrator should have done so once. ... Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector implementation. The above one is the easiest. I would recommend it. BTW, this is the connector implementation that is used by default when you do not have Tomcat-Native/APR installed. That is what most users are already using by default. Regarding original question how to build it: There are - BUILDING.txt - webapps/docs/building.html in every release. What else is needed? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Incorporating changes and compiling Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bruce, On 9/28/2011 1:44 PM, Wilde, Bruce R. wrote: So, what are security minded system administrators to do about mitigating CVE-2011-3190 against V6.0.33? This is the option I chose: (c) Configure both Tomcat and the reverse proxy to use a shared secret. You could also switch to the non-APR connector: (d) Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector implementation. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6DmdEACgkQ9CaO5/Lv0PBNCwCfWGvziAArTZL/sEjSxLgYyxeE esYAoJV+m2dSYqJCubcpgsG0XLA/1Ibw =yuL8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Incorporating changes and compiling Tomcat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gilbert, On 9/28/2011 1:58 PM, gilbert.be...@bcbssc.com wrote: Unfortunately, the government won't let we wait. Maybe patches is the wrong word. For instance the updated code for AjpAprProcessor.java and AjpProcessor.java needed to fix CVE-2011-3190 is available and has been incorporated into 6.0.34, they just haven't released it yet. So what I trying to do is to manually incorporate the changes and rebuild Tomcat, something I've never done before. Not being that well versed in Java and ant, I've been doing a lot of head scratching. You have non-code-patching options for mitigating this vulnerability: see other posts in this thread (specifically, Bruce's branch). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6Dmk0ACgkQ9CaO5/Lv0PAHnQCfQrnj+pvhBiHvHmOoaUrGzZPq 1B8Anj7afuzq68XwsVs5jVpp5OCs3Gpa =n8xJ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Incorporating changes and compiling Tomcat
On 28/09/2011 18:44, Wilde, Bruce R. wrote: So, what are security minded system administrators to do about mitigating CVE-2011-3190 against V6.0.33? From the http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.34_( not_yet_released) page Mitigation options: Upgrade to Tomcat 6.0.34. [Ed. What is the expected release date?] Apply the appropriate patch. [Ed. Patch provides 2 java source files; requiring a re-compilation] Configure both Tomcat and the reverse proxy to use a shared secret. ... Use the org.apache.jk.server.JkCoyoteHandler (BIO) AJP connector implementation. ... It's a fair question, and you do provide answers - but those are aimed at a specific problem. This may be appropriate, but the OP did not declare their interest and we do sometimes have people asking how to compile in Tomcat patches because they misunderstand the release protocol/process. Details matter: it's fair to challenge the question and provide a range of answers if the subject is unclear IMO. p signature.asc Description: OpenPGP digital signature
Re: Incorporating changes and compiling Tomcat
2011/9/28 gilbert.be...@bcbssc.com: Can any one please direct me to instructions on how to incorporate fixes and then recompile. Target OS is Windows Server 2003. Thanks! RTFM? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Incorporating changes and compiling Tomcat
- Original Message - From: gilbert.be...@bcbssc.com gilbert.be...@bcbssc.com To: users@tomcat.apache.org Cc: Sent: Tuesday, September 27, 2011 1:58 PM Subject: Incorporating changes and compiling Tomcat Can any one please direct me to instructions on how to incorporate fixes and then recompile. Target OS is Windows Server 2003. Thanks! Gilbert Berry Blue Cross/Blue Shield of South Carolina Tricare Post Adjudication Reporting (803) 763-1873 x 31873 (803) 466-7282 cell gilbert.be...@mytricare.commailto:gilbert.be...@mytricare.com THIS EMAIL IS CONFIDENTIAL http://www.bcbssc.com/confidentiality.htm I'm not a developer, although I keep a copy of the source via SVN for 5.5.x, 6.0.x, 7.0.x, and trunk. For Tomcat 7, the instructions are here: http://tomcat.apache.org/tomcat-7.0-doc/building.html I've never had any trouble building 5.5.x, 6.0.x, 7.0.x, or trunk from SVN. . . . . just my two cents. /mde/ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org