Fix CVE tomcat 6.0.18 with out upgrade
We are using tomcat 6.0.18 and we found below number of Common Vulnerabilities and Exposures (CVE). High Vulns: 98 Medium Vulns: 50 Low Vulns: 6 We cannot upgrade/patch any of those components due to supportability concerns from Autonomy. How can I apply a fix for all the CVE, I see the build instructions in below link but I was looking for applying the fixes without upgrade. Security - http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities Build Instructions - http://tomcat.apache.org/tomcat-6.0-doc/building.html Thanks
Re: Fix CVE tomcat 6.0.18 with out upgrade
Hi Dan, We might consider for upgrading the tomcat later, due to to supportability concerns from Autonomy we cannot upgrade it to any of the higher version. but right now we are looking to apply the fix for all CVE's we identified, it will be great if you can let me know the procedure. Thanks Suresh On Wed, May 8, 2013 at 10:11 AM, Daniel Mikusa dmik...@gopivotal.comwrote: On May 8, 2013, at 12:11 PM, suresh babu yella wrote: We are using tomcat 6.0.18 and we found below number of Common Vulnerabilities and Exposures (CVE). Not surprising given the version that you are using. Latest version is 6.0.37. High Vulns: 98 Medium Vulns: 50 Low Vulns: 6 We cannot upgrade/patch any of those components due to supportability concerns from Autonomy. How can I apply a fix for all the CVE, I see the build instructions in below link but I was looking for applying the fixes without upgrade. You should really consider upgrading. Why are you so opposed to upgrading? Dan Security - http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities Build Instructions - http://tomcat.apache.org/tomcat-6.0-doc/building.html Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Remove default files, example JSPs and Servlets from the Tomcat Servlet/JSP container.
Hi, We are using tomcat 6.0.18 and we got common vulnerability reported for having default files, example JSPs and Servlets from the Tomcat Servlet/JSP container. I need a steps to Remove default files, example JSPs and Servlets from the Tomcat Servlet/JSP container. Thanks Sures
New Mail Id
Hello all, Please note my new maild ID [EMAIL PROTECTED] , and also please send test mail as well... -- Suresh Babu, Software Engineer, Computer Associates-India
Re: Garbace Collection executes 1GB but HEAP Size at 1.5GB!
Hi, Just for your information .. Memmory is divided in young and old generation as object life increasing it will occupy space i old generation, Please refer SUN JVM documentation. GC will keep happening once the memmory (Young generation )reached threshold. Young generation again divided in to survivor 0 and survivor 1 spaces. When a object is created it keeps allocating in survivor spaces alternatively. Two types of GC: Mini GC : Cleaning only with in young generation Full GC: If all objects present in young generation are alive so cleaning happens in old generation hence will become FUll GC Following is the info I have sent a mail to some person (It may be usefull) --- Setting heap size to -Xms256 -Xmx1024 will allocate memmory intially to 256 MB and keeps expanding as allocating more objects up to 1024. My recomendation to you is as mentioned in previos mail set heap size to -Xms1536 -Xmx1536 and verify it. But Do not increase heap size blindly to greater values which may lead to performance issue(Pause times may become more to clean GC). try the heap settings and let me know, If still problem is there just send the verbose output and log file. --- On 1/10/07, starki78 [EMAIL PROTECTED] wrote: Hi I'm profiling my application with -verboseGC. My maximum heap-size is XMS is 1.5GB but the garbage collection always is executed when about 1GB is reached. Why is it so early? Is there anything to control this? I'm using Sun 1.4.2 Thanks and nice greetings Starki -- Passa a Infostrada. ADSL e Telefono senza limiti e senza canone Telecom http://click.libero.it/infostrada10gen07 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Suresh Babu, Software Engineer, Computer Associates-India
Re: from https to http?
Hi all I have one question regarding http and https: Lets say I open a pop up page from https, pop window will be opened in https mode as main window is opened in https and I have action in pop up where it leave https mode and enter in to http modeIf i want put value from pop window to main window it gives security violation java script error...How to resolve this.. Thanks Suresh On 1/4/07, Christopher Schultz [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pablo, John Doe wrote: Thanks a lot by the explanation. Looks like Tomcat (or maybe the Servlet specification?) needs a mechanism to switch from https to http when this access is declared by a security-constrains otherwise is forcing programmers to always use programmatic security to made this switch It isn't Tomcat's job to guess when you want to go back to http, it's yours. It isn't very difficult to build a complete URL (including protocol) for a link. I would imagine that you have very few places in your application where you need to: 1. Switch from HTTP to HTTPS and 2. Switch from HTTPS to HTTP I recommend that you treat those as special cases and hand-code them as appropriate. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFnQT89CaO5/Lv0PARAgrAAJ9mC1jWsr5rYmD7El+d6OGO3rIJzACeOiN2 D2fSjZ+YlIfUXzaXatPV0Kg= =mxZ3 -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Suresh Babu, Software Engineer, Computer Associates-India
Re: Setting the classpath for my application
I agree with chris On 7/25/06, Christopher Schultz [EMAIL PROTECTED] wrote: Darren, My jar file (foo.jar) is in the webapps/abc/WEB-INF/lib directory for my 'abc' application. However, in the Catalina log file, when Tomcat starts, I get a ClassNotFound - com.abc.framework.ControlServlet error. Why can my servlet not be found if it resides in the jar under the WEB-INF/lib directory??? Can you confirm with jar tvf webapps/abd/WEB-INF/lib/abc.jar that your class is actually in there with the path com/abc/framework/ControlServlet.class? Another thing you could try is this: $ javap -classpath webapps/abc/WEB-INF/lib/abc.jar \ com.abc.framework.ControlServlet This should print out the API of your class. If it does not, then either the JAR is broken or the package and class names are incorrect. -chris -- Suresh Babu, Software Engineer, Computer Associates-India
Re: out of memory error
GC details will be printed in console On 7/20/06, MW Janssen [EMAIL PROTECTED] wrote: thx for the fact that you want to look into it..i set those parameters and restarted tomcat..are GC details printed in stout.log?? Maarten -Oorspronkelijk bericht- Van: Suresh babu [mailto:[EMAIL PROTECTED] Verzonden: donderdag 20 juli 2006 7:32 Aan: Tomcat Users List; Martin Gainty Onderwerp: Re: out of memory error Hi, please set this and send the verbose out put log file. set JAVA_OPTS=%JAVA_OPTS% -verbosegc -XX:+PrintGCDetails, I will look in to this. On 7/19/06, Martin Gainty [EMAIL PROTECTED] wrote: Good Afternoon Jon- set Max Mem and Min Mem within jvm.cfg (-Xmx and -Xms options) to the same value http://java.sun.com/docs/hotspot/PerformanceFAQ.html#8 Exercise caution on playing with stack SS 64k is mightly lean 512k(default for Sparc) and 256k(default for Intel) usually is plenty unless your program has some grossly huge stack allocations Drivers- Also be mindful of synch points for Type 2 (OCI) drivers vs using Type 4 (thin) drivers.. HTH Martin -- * This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. - Original Message - From: Jon Wingfield [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, July 19, 2006 12:12 PM Subject: Re: out of memory error This may be of help (emphasis on may): http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4765019 Has a bit about tuning Xss for a high number of threads. MW Janssen wrote: Hi, These are my parameters: I have Xmx1024m and Xms1024m as well for the heap size memory. I dont set Xss so I presume I use the default value. My Operating System: OS Name: Windows 2003 OS Version: 5.2 Total RAM: 2.00Gb Free RAM: 2.00Gb Committed JVM memory: 1.02Gb Total swap: 4.00Gb Free swap: 3.87Gb (from lambdaprobe) Maarten -Oorspronkelijk bericht- Van: David Tonhofer [mailto:[EMAIL PROTECTED] Verzonden: woensdag 19 juli 2006 16:57 Aan: Tomcat Users List Onderwerp: Re: out of memory error MW Janssen wrote: java.lang.OutOfMemoryError: unable to create new native thread Are you it isn't just the heap and/or stack that's too small? Try starting the Jvm with one of the extended options line -Xss500k -Xmx100m (if it is the Sun JVM) --- -- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.1/391 - Release Date: 18-7-2006 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Suresh Babu, Software Engineer, Computer Associates-India -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.2/393 - Release Date: 19-7-2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.2/393 - Release Date: 19-7-2006 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Suresh Babu, Software Engineer, Computer Associates-India
Re: Increase Heapsize
Hi It's an option to the JVM, just append this line over there -verbosegc -XX:+PrintGCDetails. To avoid out of memmory errors just make sure minimum and maximum heap space should be same. You can find out still more information with GC details logged on enabling above option in JVM. Check it out how much memmory is reclaimimg on each GC and whats the frequency of minor or major GC are happening. More over you can set different alogorithms like copying collector.mark and compavt/mark and sweep /incremental/throughput collectors in young/ old generation. You can find brief details in following links. http://java.sun.com/docs/hotspot/gc5.0/gc_tuning_5.html On 7/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Chris, This gives how much heapsize is currently allocated. How can I know whether it is enough or what size it should be increased to? Also: real time wise, how if tomcat behaving with each event/interaction/page delivery? Thanks, Ibrahim *Christopher Schultz [EMAIL PROTECTED]* 07/18/2006 09:00 AM Please respond to Tomcat Users List To:Tomcat Users List users@tomcat.apache.org cc: Subject:Re: Increase Heapsize Ibrahim, You can always call Runtime.getRuntime().totalMemory() to find out the amount of heap space that has been allocated to the JVM. Where would this code be written? And how would I execute it? Just toss a JSP file somewhere with that code in it to allow you to check up on the app. -chris ** This communication (including any attachments) may contain privileged or confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this communication and/or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited. Thank you. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Suresh Babu, Software Engineer, Computer Associates-India
Re: Increase Heapsize
Hi, Use following line in catalina file set JAVA_OPTS=%JAVA_OPTS% -verbosegc -XX:+PrintGCDetails in windows change accordingly to linux. Run stratup.sh from command line: to see all heap information on console. On 7/19/06, Suresh babu [EMAIL PROTECTED] wrote: Hi It's an option to the JVM, just append this line over there -verbosegc -XX:+PrintGCDetails. To avoid out of memmory errors just make sure minimum and maximum heap space should be same. You can find out still more information with GC details logged on enabling above option in JVM. Check it out how much memmory is reclaimimg on each GC and whats the frequency of minor or major GC are happening. More over you can set different alogorithms like copying collector.markand compavt/mark and sweep /incremental/throughput collectors in young/ old generation. You can find brief details in following links. http://java.sun.com/docs/hotspot/gc5.0/gc_tuning_5.html On 7/18/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Chris, This gives how much heapsize is currently allocated. How can I know whether it is enough or what size it should be increased to? Also: real time wise, how if tomcat behaving with each event/interaction/page delivery? Thanks, Ibrahim *Christopher Schultz [EMAIL PROTECTED]* 07/18/2006 09:00 AM Please respond to Tomcat Users List To:Tomcat Users List users@tomcat.apache.org cc: Subject:Re: Increase Heapsize Ibrahim, You can always call Runtime.getRuntime().totalMemory() to find out the amount of heap space that has been allocated to the JVM. Where would this code be written? And how would I execute it? Just toss a JSP file somewhere with that code in it to allow you to check up on the app. -chris ** This communication (including any attachments) may contain privileged or confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this communication and/or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited. Thank you. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Suresh Babu, Software Engineer, Computer Associates-India -- Suresh Babu, Software Engineer, Computer Associates-India
Re: Increase Heapsize
Hi, Setting heap size to -Xms256 -Xmx1024 will allocate mammory intially to 256 MB and keeps expanding as allocating more objects up to 1024. My recomendation to you is as mentioned in previos mail set heap size to -Xms1536 -Xmx1536 and verify it. But Do not increase heap size blindly to greater values which may lead to performance issue(Pause times may become more to clean GC). try the heap settings and let me know, If still problem is there just send the verbose output and log file. On 7/20/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: what wouldve happened if you left your heapsize: -Xms256 -Xmx1024 ? ** This communication (including any attachments) may contain privileged or confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this communication and/or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited. Thank you. -- Suresh Babu, Software Engineer, Computer Associates-India
Re: out of memory error
Hi, please set this and send the verbose out put log file. set JAVA_OPTS=%JAVA_OPTS% -verbosegc -XX:+PrintGCDetails, I will look in to this. On 7/19/06, Martin Gainty [EMAIL PROTECTED] wrote: Good Afternoon Jon- set Max Mem and Min Mem within jvm.cfg (-Xmx and -Xms options) to the same value http://java.sun.com/docs/hotspot/PerformanceFAQ.html#8 Exercise caution on playing with stack SS 64k is mightly lean 512k(default for Sparc) and 256k(default for Intel) usually is plenty unless your program has some grossly huge stack allocations Drivers- Also be mindful of synch points for Type 2 (OCI) drivers vs using Type 4 (thin) drivers.. HTH Martin -- * This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. - Original Message - From: Jon Wingfield [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, July 19, 2006 12:12 PM Subject: Re: out of memory error This may be of help (emphasis on may): http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4765019 Has a bit about tuning Xss for a high number of threads. MW Janssen wrote: Hi, These are my parameters: I have Xmx1024m and Xms1024m as well for the heap size memory. I dont set Xss so I presume I use the default value. My Operating System: OS Name: Windows 2003 OS Version: 5.2 Total RAM: 2.00Gb Free RAM: 2.00Gb Committed JVM memory: 1.02Gb Total swap: 4.00Gb Free swap: 3.87Gb (from lambdaprobe) Maarten -Oorspronkelijk bericht- Van: David Tonhofer [mailto:[EMAIL PROTECTED] Verzonden: woensdag 19 juli 2006 16:57 Aan: Tomcat Users List Onderwerp: Re: out of memory error MW Janssen wrote: java.lang.OutOfMemoryError: unable to create new native thread Are you it isn't just the heap and/or stack that's too small? Try starting the Jvm with one of the extended options line -Xss500k -Xmx100m (if it is the Sun JVM) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.1/391 - Release Date: 18-7-2006 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Suresh Babu, Software Engineer, Computer Associates-India
Re: Increase Heapsize
Hi, Using -verbose:gc will also help in finding out the heap size On 7/18/06, Christopher Schultz [EMAIL PROTECTED] wrote: Ibrahim, I've increased the heapsize in my development enviroment. And I don't knowhow to confirm the change has been made to the effect the whole system is affected. So I'd like to know how to go about confirming this, possibly thru some monitoring measure. You can always call Runtime.getRuntime().totalMemory() to find out the amount of heap space that has been allocated to the JVM. I have incorporated this piece of information into a page that allows the current user to snoop their session (only enabled in development, of course). -chris
Re: Increase Heapsize
-verbosegc -XX:+PrintGCDetails On 7/18/06, Suresh babu [EMAIL PROTECTED] wrote: Hi, Using -verbose:gc will also help in finding out the heap size On 7/18/06, Christopher Schultz [EMAIL PROTECTED] wrote: Ibrahim, I've increased the heapsize in my development enviroment. And I don't knowhow to confirm the change has been made to the effect the whole system is affected. So I'd like to know how to go about confirming this, possibly thru some monitoring measure. You can always call Runtime.getRuntime().totalMemory() to find out the amount of heap space that has been allocated to the JVM. I have incorporated this piece of information into a page that allows the current user to snoop their session (only enabled in development, of course). -chris