potential thread? and what should we do?
Hello there, recently I'm reading in the security news channels that there are discovered multiple vulnerabilities in tomcat and almost all versions are affected. For example these news from today: http://www.linuxsecurity.com/content/view/149201?rdf On the other side, I can see that the latest version of tomcat is 5.5.27 and the package is created in 2008 (06-Sep). Are there any fixes, or some new version comes soon? Does someone know something about this. -- Best regards, Nikolay Diulgerov Network Administrator - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
The latest version of tomcat is 6.0.20 and its about one month old. http://tomcat.apache.org/download-60.cgi#6.0.20 enjoy :-) Leon On Wed, Jun 24, 2009 at 10:06 AM, Niki Diulgerovndiulge...@imx.fr wrote: Hello there, recently I'm reading in the security news channels that there are discovered multiple vulnerabilities in tomcat and almost all versions are affected. For example these news from today: http://www.linuxsecurity.com/content/view/149201?rdf On the other side, I can see that the latest version of tomcat is 5.5.27 and the package is created in 2008 (06-Sep). Are there any fixes, or some new version comes soon? Does someone know something about this. -- Best regards, Nikolay Diulgerov Network Administrator - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
Does this means that 5.5.x is no more developed, and there will be no new versions in the 5.5 branch ? Best regards, Nikolay Diulgerov Network Administrator E-mail: ndiulge...@imx.fr Telephone : +33 4 89 87 77 77 Fax : +33 4 89 87 77 00 Web: http://www.codix-france.com Leon Rosenberg wrote: The latest version of tomcat is 6.0.20 and its about one month old. http://tomcat.apache.org/download-60.cgi#6.0.20 enjoy :-) Leon On Wed, Jun 24, 2009 at 10:06 AM, Niki Diulgerovndiulge...@imx.fr wrote: Hello there, recently I'm reading in the security news channels that there are discovered multiple vulnerabilities in tomcat and almost all versions are affected. For example these news from today: http://www.linuxsecurity.com/content/view/149201?rdf On the other side, I can see that the latest version of tomcat is 5.5.27 and the package is created in 2008 (06-Sep). Are there any fixes, or some new version comes soon? Does someone know something about this. -- Best regards, Nikolay Diulgerov Network Administrator - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
I'm probably the wrong person to answer this, but there will be patches and updates to 5.5.x as there are for even 4.1.x, but the general development is moving along to tomcat 7, so 5.5.x is an outdated model. However, for almost all webapps the migration to 6.0.x is rather smooth (I've had an issue with some unescaped quotes but that was all). regards Leon On Wed, Jun 24, 2009 at 10:20 AM, Niki Diulgerovndiulge...@imx.fr wrote: Does this means that 5.5.x is no more developed, and there will be no new versions in the 5.5 branch ? Best regards, Nikolay Diulgerov Network Administrator E-mail: ndiulge...@imx.fr Telephone : +33 4 89 87 77 77 Fax : +33 4 89 87 77 00 Web: http://www.codix-france.com Leon Rosenberg wrote: The latest version of tomcat is 6.0.20 and its about one month old. http://tomcat.apache.org/download-60.cgi#6.0.20 enjoy :-) Leon On Wed, Jun 24, 2009 at 10:06 AM, Niki Diulgerovndiulge...@imx.fr wrote: Hello there, recently I'm reading in the security news channels that there are discovered multiple vulnerabilities in tomcat and almost all versions are affected. For example these news from today: http://www.linuxsecurity.com/content/view/149201?rdf On the other side, I can see that the latest version of tomcat is 5.5.27 and the package is created in 2008 (06-Sep). Are there any fixes, or some new version comes soon? Does someone know something about this. -- Best regards, Nikolay Diulgerov Network Administrator - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
Leon Rosenberg wrote: I'm probably the wrong person to answer this, ... Me too, but a pretty detailed overview of these matters is always available here : http://tomcat.apache.org/whichversion.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
André Warnier wrote: Leon Rosenberg wrote: I'm probably the wrong person to answer this, ... Me too, but a pretty detailed overview of these matters is always available here : http://tomcat.apache.org/whichversion.html and here : http://tomcat.apache.org/security.html All these links are available directly on the Tomcat website home page.. http://tomcat.apache.org I guess what is really missing, is a meta home page, where it would be mentioned that all these links are available on the home page. ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
Niki Diulgerov wrote: Hello there, recently I'm reading in the security news channels that there are discovered multiple vulnerabilities in tomcat and almost all versions are affected. For example these news from today: http://www.linuxsecurity.com/content/view/149201?rdf On the other side, I can see that the latest version of tomcat is 5.5.27 and the package is created in 2008 (06-Sep). Are there any fixes, or some new version comes soon? Does someone know something about this. I asked this question a couple of weeks ago, and they said that the fix in the TC6 line is already done in 6.0.20, and the TC5.5 and TC4 lines will have this fixed in the not-too-distant future. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
After doing some reading of the documentation I found that these bugs are fixed in the SVN repository. Also checking out the latest source I can see that it is revision (Checked out revision 787991) and tomcat is with version 5.5.28. Following the simple instructions on the site (http://tomcat.apache.org/tomcat-5.5-doc/building.html) anyone can build the latest release and get version with these bugs fixed. Best regards, Nikolay Diulgerov Network Administrator David kerber wrote: Niki Diulgerov wrote: Hello there, recently I'm reading in the security news channels that there are discovered multiple vulnerabilities in tomcat and almost all versions are affected. For example these news from today: http://www.linuxsecurity.com/content/view/149201?rdf On the other side, I can see that the latest version of tomcat is 5.5.27 and the package is created in 2008 (06-Sep). Are there any fixes, or some new version comes soon? Does someone know something about this. I asked this question a couple of weeks ago, and they said that the fix in the TC6 line is already done in 6.0.20, and the TC5.5 and TC4 lines will have this fixed in the not-too-distant future. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nikolay, On 6/24/2009 4:20 AM, Niki Diulgerov wrote: Does this means that 5.5.x is no more developed, and there will be no new versions in the 5.5 branch ? http://wiki.apache.org/tomcat/TomcatVersions - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpCNYEACgkQ9CaO5/Lv0PDgMwCeK9kf1IDxR9FMRV24PITSCwXU 0DYAoIIwqVT4hG073f/acewVXATXXgYZ =IaLY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
Niki Diulgerov wrote: After doing some reading of the documentation I found that these bugs are fixed in the SVN repository. Also checking out the latest source I can see that it is revision (Checked out revision 787991) and tomcat is with version 5.5.28. Following the simple instructions on the site (http://tomcat.apache.org/tomcat-5.5-doc/building.html) anyone can build the latest release and get version with these bugs fixed. Just be aware that although what you download from svn today may call itself 5.5.28, there may be other changes made before 5.5.28 is tagged. If you want to work with the same source code as we used to build the release, you need to checkout the tag rather than trunk. Mark Best regards, Nikolay Diulgerov Network Administrator David kerber wrote: Niki Diulgerov wrote: Hello there, recently I'm reading in the security news channels that there are discovered multiple vulnerabilities in tomcat and almost all versions are affected. For example these news from today: http://www.linuxsecurity.com/content/view/149201?rdf On the other side, I can see that the latest version of tomcat is 5.5.27 and the package is created in 2008 (06-Sep). Are there any fixes, or some new version comes soon? Does someone know something about this. I asked this question a couple of weeks ago, and they said that the fix in the TC6 line is already done in 6.0.20, and the TC5.5 and TC4 lines will have this fixed in the not-too-distant future. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
Mark, I used the build.xml downloaded from here (http://tomcat.apache.org/tomcat-5.5-doc/build.xml). Looking at it I can see that it checks out http://svn.apache.org/repos/asf/tomcat/current/tc5.5.x (probably the latest available revision). Please advice me does it contain the latest approved patches or also the latest applied (but still not approved) patches. Should I change something in the build.xml script or I should manually checkout from different location (or different revision but not the head one) The idea is to check out the latest 5.5.x version with approved bugfixes and to build tomcat, cause on tomcat.apache.org the binaries are from 2008. Best regards, Nikolay Diulgerov Network Administrator Mark Thomas wrote: Niki Diulgerov wrote: After doing some reading of the documentation I found that these bugs are fixed in the SVN repository. Also checking out the latest source I can see that it is revision (Checked out revision 787991) and tomcat is with version 5.5.28. Following the simple instructions on the site (http://tomcat.apache.org/tomcat-5.5-doc/building.html) anyone can build the latest release and get version with these bugs fixed. Just be aware that although what you download from svn today may call itself 5.5.28, there may be other changes made before 5.5.28 is tagged. If you want to work with the same source code as we used to build the release, you need to checkout the tag rather than trunk. Mark Best regards, Nikolay Diulgerov Network Administrator David kerber wrote: Niki Diulgerov wrote: Hello there, recently I'm reading in the security news channels that there are discovered multiple vulnerabilities in tomcat and almost all versions are affected. For example these news from today: http://www.linuxsecurity.com/content/view/149201?rdf On the other side, I can see that the latest version of tomcat is 5.5.27 and the package is created in 2008 (06-Sep). Are there any fixes, or some new version comes soon? Does someone know something about this. I asked this question a couple of weeks ago, and they said that the fix in the TC6 line is already done in 6.0.20, and the TC5.5 and TC4 lines will have this fixed in the not-too-distant future. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
A bit of advice... Its much less risky and complicated to take the last 6.0.x version, namely 6.0.20, instead of building what will become your unique personal tomcat version r-something. If your car is broken, do you buy a new one from a vendor, or do you buy a do it yourself manual and separate parts and spend next three years in the garage assembling? .-) Leon On Wed, Jun 24, 2009 at 5:26 PM, Niki Diulgerovndiulge...@imx.fr wrote: Mark, I used the build.xml downloaded from here (http://tomcat.apache.org/tomcat-5.5-doc/build.xml). Looking at it I can see that it checks out http://svn.apache.org/repos/asf/tomcat/current/tc5.5.x (probably the latest available revision). Please advice me does it contain the latest approved patches or also the latest applied (but still not approved) patches. Should I change something in the build.xml script or I should manually checkout from different location (or different revision but not the head one) The idea is to check out the latest 5.5.x version with approved bugfixes and to build tomcat, cause on tomcat.apache.org the binaries are from 2008. Best regards, Nikolay Diulgerov Network Administrator Mark Thomas wrote: Niki Diulgerov wrote: After doing some reading of the documentation I found that these bugs are fixed in the SVN repository. Also checking out the latest source I can see that it is revision (Checked out revision 787991) and tomcat is with version 5.5.28. Following the simple instructions on the site (http://tomcat.apache.org/tomcat-5.5-doc/building.html) anyone can build the latest release and get version with these bugs fixed. Just be aware that although what you download from svn today may call itself 5.5.28, there may be other changes made before 5.5.28 is tagged. If you want to work with the same source code as we used to build the release, you need to checkout the tag rather than trunk. Mark Best regards, Nikolay Diulgerov Network Administrator David kerber wrote: Niki Diulgerov wrote: Hello there, recently I'm reading in the security news channels that there are discovered multiple vulnerabilities in tomcat and almost all versions are affected. For example these news from today: http://www.linuxsecurity.com/content/view/149201?rdf On the other side, I can see that the latest version of tomcat is 5.5.27 and the package is created in 2008 (06-Sep). Are there any fixes, or some new version comes soon? Does someone know something about this. I asked this question a couple of weeks ago, and they said that the fix in the TC6 line is already done in 6.0.20, and the TC5.5 and TC4 lines will have this fixed in the not-too-distant future. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: potential thread? and what should we do?
Niki Diulgerov wrote: Mark, I used the build.xml downloaded from here (http://tomcat.apache.org/tomcat-5.5-doc/build.xml). Looking at it I can see that it checks out http://svn.apache.org/repos/asf/tomcat/current/tc5.5.x (probably the latest available revision). Correct, that is the latest version of the 5.5.x branch. Please advice me does it contain the latest approved patches or also the latest applied (but still not approved) patches. That is the latest 5.5.x code and all patches have been voted for by at least 3 committers but that is not the same as an approved ASF release. We run a number of tests, primarily the Servlet and JSP TCKs to ensure spec compatibility. Releases also go through a number of other checks. Should I change something in the build.xml script or I should manually checkout from different location (or different revision but not the head one) The idea is to check out the latest 5.5.x version with approved bugfixes and to build tomcat, cause on tomcat.apache.org the binaries are from 2008. You have: - the latest 5.5.x code - all the recent security fixes - a number of bug fixes - see the change log - *no* guarantee that the build is spec compliant - something that is halfway between 5.5.27 and 5.5.28 Mark Best regards, Nikolay Diulgerov Network Administrator Mark Thomas wrote: Niki Diulgerov wrote: After doing some reading of the documentation I found that these bugs are fixed in the SVN repository. Also checking out the latest source I can see that it is revision (Checked out revision 787991) and tomcat is with version 5.5.28. Following the simple instructions on the site (http://tomcat.apache.org/tomcat-5.5-doc/building.html) anyone can build the latest release and get version with these bugs fixed. Just be aware that although what you download from svn today may call itself 5.5.28, there may be other changes made before 5.5.28 is tagged. If you want to work with the same source code as we used to build the release, you need to checkout the tag rather than trunk. Mark Best regards, Nikolay Diulgerov Network Administrator David kerber wrote: Niki Diulgerov wrote: Hello there, recently I'm reading in the security news channels that there are discovered multiple vulnerabilities in tomcat and almost all versions are affected. For example these news from today: http://www.linuxsecurity.com/content/view/149201?rdf On the other side, I can see that the latest version of tomcat is 5.5.27 and the package is created in 2008 (06-Sep). Are there any fixes, or some new version comes soon? Does someone know something about this. I asked this question a couple of weeks ago, and they said that the fix in the TC6 line is already done in 6.0.20, and the TC5.5 and TC4 lines will have this fixed in the not-too-distant future. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: potential thread? and what should we do?
From: Leon Rosenberg [mailto:rosenberg.l...@googlemail.com] Subject: Re: potential thread? and what should we do? If your car is broken, do you buy a new one from a vendor, or do you buy a do it yourself manual and separate parts and spend next three years in the garage assembling? .-) For Tomcat, I'd get a new one (the price is right). For classic cars, you'll find me in the garage... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
