Re: Tomcat patch management and patching best practices
The Apache Tomcat project does not provide patches for individual issues and has no plans to change that. The simplest way to manage updates is to separate CATALINA_HOME and CATALINA_BASE as per http://tomcat.apache.org/tomcat-9.0-doc/introduction.html#CATALINA_HOME_and_CATALINA_BASE or https://tomcat.apache.org/tomcat-9.0-doc/RUNNING.txt Upgrades then become a case of: Unpack new binary distribution Stop Tomcat Update CATALINA_HOME environment variable Start Tomcat Mark On 07/02/2019 02:52, John Larsen wrote: > Thats a really good question. We've simply replaced the entire tomcat > installation and then rerun auto config. > > Be nice if apache provided patches. > > John > > > On Wed, Feb 6, 2019 at 7:39 PM Murtaza Doctor wrote: > >> Dear Support, >> >> We request your help/advice for the Tomcat Patch Management. We have >> installed Tomcat server to host an application which is internally used in >> our organisation. We donot have any current process/procedure to patch >> Tomcat. So we are looking for your advice on this. >> >> Please address my below queries: >> >> 1) What is the best procedure/practice to keep Tomcat up-to-date with >> patches? >> >> 2) How frequently does Tomcat releases patches/updates? If patches are >> available, please advice the link to access the patches and its details >> (including steps to apply it) >> >> 3) Are separate patches released for security vulnerabilities fixed and bug >> fixed in Tomcat application server? >> >> Kindly advice. Your suggestion will help us in building our internal >> processes. Thanks. >> >> Kind Regards, >> Murtaza Doctor. >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat patch management and patching best practices
Thats a really good question. We've simply replaced the entire tomcat installation and then rerun auto config. Be nice if apache provided patches. John On Wed, Feb 6, 2019 at 7:39 PM Murtaza Doctor wrote: > Dear Support, > > We request your help/advice for the Tomcat Patch Management. We have > installed Tomcat server to host an application which is internally used in > our organisation. We donot have any current process/procedure to patch > Tomcat. So we are looking for your advice on this. > > Please address my below queries: > > 1) What is the best procedure/practice to keep Tomcat up-to-date with > patches? > > 2) How frequently does Tomcat releases patches/updates? If patches are > available, please advice the link to access the patches and its details > (including steps to apply it) > > 3) Are separate patches released for security vulnerabilities fixed and bug > fixed in Tomcat application server? > > Kindly advice. Your suggestion will help us in building our internal > processes. Thanks. > > Kind Regards, > Murtaza Doctor. >
Tomcat patch management and patching best practices
Dear Support, We request your help/advice for the Tomcat Patch Management. We have installed Tomcat server to host an application which is internally used in our organisation. We donot have any current process/procedure to patch Tomcat. So we are looking for your advice on this. Please address my below queries: 1) What is the best procedure/practice to keep Tomcat up-to-date with patches? 2) How frequently does Tomcat releases patches/updates? If patches are available, please advice the link to access the patches and its details (including steps to apply it) 3) Are separate patches released for security vulnerabilities fixed and bug fixed in Tomcat application server? Kindly advice. Your suggestion will help us in building our internal processes. Thanks. Kind Regards, Murtaza Doctor.
Re: Fw: Tomcat Patch Management
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anand, Anand Gundanna wrote: So, do you think Automatic windows patch management and manual tomcat patch management would ideal as patch releases from Tomcat is very rare? Yes. Given that you have to test the hell out of your application whenever you switch application servers, you wouldn't want to do it in an automated way, anyway. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjKpXYACgkQ9CaO5/Lv0PCYhwCfdnDxtkXAdlOOX9+ZYr1R2HM5 JRYAoK7FrtWc3a44q9JcKvmTZwCw8/iA =3oJH -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Patch Management
Mark Thomas wrote: Anand Gundanna wrote: Dear Support, I would request for your help in regards to Tomcat Patch Management. I hope you will be helpful in this regard. We have installed and configured an Tomcat web server on windows server platform for an application called Business Objects XI. Tomcat web servers will not be supported/maintained by our web services team as it is non strategic within our organisation. But still we have hosted the Tomcat servers as it is mandated by Business Objects application. Now the Tomcat Web server has been successfully installed and configured. We need to plan for Patch management for Tomcat. At the moment we do not have any external/third party tool to manage the patches automatically. So, could you please clarify the following queries.. 1) What is the best procedure/practice to keep Tomcat up-to-date with patches? There are no patches, only full releases. 2) How frequently does Tomcat releases patches/updates and how critical it is for an internal application? ~3 per year. How critical is your call. If it ain't broke... 3) Does Tomcat have any built in tool/feature to download and update patches automatically? Nope. Please let me know if you know any other easy option/solution for Tomcat Patch Management. There are commercial support provides that will provide simpler patch management options. Or safer bet, depending on how well the application is designed (and how critical it is)... install a staging server with the new Tomcat release, and copy the application over and test. I do not know of any 100% proof patch/upgrade for any software. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Regards Gabe Wong NGASI AppServer Manager JAVA AUTOMATION and SaaS Enablement for Cloud Computing http://www.ngasi.com NEW! FREE Developer account for Hosted version on Amazon EC2 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Patch Management
Dear Support, I would request for your help in regards to Tomcat Patch Management. I hope you will be helpful in this regard. We have installed and configured an Tomcat web server on windows server platform for an application called Business Objects XI. Tomcat web servers will not be supported/maintained by our web services team as it is non strategic within our organisation. But still we have hosted the Tomcat servers as it is mandated by Business Objects application. Now the Tomcat Web server has been successfully installed and configured. We need to plan for Patch management for Tomcat. At the moment we do not have any external/third party tool to manage the patches automatically. So, could you please clarify the following queries.. 1) What is the best procedure/practice to keep Tomcat up-to-date with patches? 2) How frequently does Tomcat releases patches/updates and how critical it is for an internal application? 3) Does Tomcat have any built in tool/feature to download and update patches automatically? Please let me know if you know any other easy option/solution for Tomcat Patch Management. Best Regards, Anand G NU UK ITS Architecture and Design Floor 7, Norfolk Tower, Norwich Phone - 01603 838398 Norwich Union is the trading name for the principal subsidiaries of the Aviva Group in the United Kingdom. The principal subsidiaries are: Norwich Union Insurance Limited Norwich Union Insurance Limited. Registered Office 8 Surrey Street, Norwich, Norfolk NR1 3NG. Registered in England Number 99122. Norwich Union Direct is a trading name of Norwich Union Insurance Limited. Authorised and regulated by the Financial Services Authority. Norwich Union Life Services Limited Norwich Union Life Services Limited. Registered Office 2 Rougier Street, York YO90 1UU. Registered in England Number 2403746. A member of the Norwich Union Marketing Group which is authorised and regulated by the Financial Services Authority. Norwich Union Healthcare Limited Norwich Union Healthcare Limited. Registered Office 8 Surrey Street, Norwich, Norfolk NR1 3NG. Registered in England Number 2464270. Authorised and regulated by the Financial Services Authority. ** This email and any files sent with it are intended only for the named recipient. If you are not the named recipient please telephone/email the sender immediately. You should not disclose the content or take/retain/distribute any copies. ** - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Fw: Tomcat Patch Management
Hello, Can someone help me please.. i haven't got the answer for my query yet.. please. Best Regards, Anand G NU UK ITS Architecture and Design Floor 7, Norfolk Tower, Norwich Phone - 01603 838398 - Forwarded by Anand Gundanna/TCS/NUI/NORWICHUNION on 11/09/2008 16:38 - Anand Gundanna/TCS/NUI/NORWICHUNION 11/09/2008 12:04 To users@tomcat.apache.org cc Subject Tomcat Patch Management Dear Support, I would request for your help in regards to Tomcat Patch Management. I hope you will be helpful in this regard. We have installed and configured an Tomcat web server on windows server platform for an application called Business Objects XI. Tomcat web servers will not be supported/maintained by our web services team as it is non strategic within our organisation. But still we have hosted the Tomcat servers as it is mandated by Business Objects application. Now the Tomcat Web server has been successfully installed and configured. We need to plan for Patch management for Tomcat. At the moment we do not have any external/third party tool to manage the patches automatically. So, could you please clarify the following queries.. 1) What is the best procedure/practice to keep Tomcat up-to-date with patches? 2) How frequently does Tomcat releases patches/updates and how critical it is for an internal application? 3) Does Tomcat have any built in tool/feature to download and update patches automatically? Please let me know if you know any other easy option/solution for Tomcat Patch Management. Best Regards, Anand G NU UK ITS Architecture and Design Floor 7, Norfolk Tower, Norwich Phone - 01603 838398 Norwich Union is the trading name for the principal subsidiaries of the Aviva Group in the United Kingdom. The principal subsidiaries are: Norwich Union Insurance Limited Norwich Union Insurance Limited. Registered Office 8 Surrey Street, Norwich, Norfolk NR1 3NG. Registered in England Number 99122. Norwich Union Direct is a trading name of Norwich Union Insurance Limited. Authorised and regulated by the Financial Services Authority. Norwich Union Life Services Limited Norwich Union Life Services Limited. Registered Office 2 Rougier Street, York YO90 1UU. Registered in England Number 2403746. A member of the Norwich Union Marketing Group which is authorised and regulated by the Financial Services Authority. Norwich Union Healthcare Limited Norwich Union Healthcare Limited. Registered Office 8 Surrey Street, Norwich, Norfolk NR1 3NG. Registered in England Number 2464270. Authorised and regulated by the Financial Services Authority. ** This email and any files sent with it are intended only for the named recipient. If you are not the named recipient please telephone/email the sender immediately. You should not disclose the content or take/retain/distribute any copies. ** - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Fw: Tomcat Patch Management
Chris, Thanks for your response.. Currently we are managing Windows Patch management through a application called BIGFIX. But that will not be used to manage for any other application purpose. So, do you think Automatic windows patch management and manual tomcat patch management would ideal as patch releases from Tomcat is very rare? Best Regards, Anand G NU UK ITS Architecture and Design Floor 7, Norfolk Tower, Norwich Phone - 01603 838398 Christopher Schultz [EMAIL PROTECTED] 11/09/2008 18:09 Please respond to Tomcat Users List users@tomcat.apache.org To Tomcat Users List users@tomcat.apache.org cc Subject Re: Fw: Tomcat Patch Management -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anand, Anand Gundanna wrote: We have installed and configured an Tomcat web server on windows server platform for an application called Business Objects XI. Yikes. Patching Microsoft Windows will be more important than patching Tomcat from the vulnerabilities I've seen from both. 1) What is the best procedure/practice to keep Tomcat up-to-date with patches? That depends on your existing patching procedures. 2) How frequently does Tomcat releases patches/updates and how critical it is for an internal application? Tomcat rarely releases patches per se. New versions are sometimes released to fix non-security-related as well as security-related bugs. These are also relatively rare. 3) Does Tomcat have any built in tool/feature to download and update patches automatically? No. You'll have to watch the lists for updates and then test and deploy them yourself. Please let me know if you know any other easy option/solution for Tomcat Patch Management. I would ask your NOC what they do for Microsoft Windows updates. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjJULUACgkQ9CaO5/Lv0PBDDgCcCmhu5/tsnOmv4loCbBzmWjpc diwAn18ybgLsKg1ivtJNOfGcJTIcs8wy =0/ND -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Norwich Union is the trading name for the principal subsidiaries of the Aviva Group in the United Kingdom. The principal subsidiaries are: Norwich Union Insurance Limited Norwich Union Insurance Limited. Registered Office 8 Surrey Street, Norwich, Norfolk NR1 3NG. Registered in England Number 99122. Norwich Union Direct is a trading name of Norwich Union Insurance Limited. Authorised and regulated by the Financial Services Authority. Norwich Union Life Services Limited Norwich Union Life Services Limited. Registered Office 2 Rougier Street, York YO90 1UU. Registered in England Number 2403746. A member of the Norwich Union Marketing Group which is authorised and regulated by the Financial Services Authority. Norwich Union Healthcare Limited Norwich Union Healthcare Limited. Registered Office 8 Surrey Street, Norwich, Norfolk NR1 3NG. Registered in England Number 2464270. Authorised and regulated by the Financial Services Authority. ** This email and any files sent with it are intended only for the named recipient. If you are not the named recipient please telephone/email the sender immediately. You should not disclose the content or take/retain/distribute any copies. ** - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Fw: Tomcat Patch Management
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anand, Anand Gundanna wrote: We have installed and configured an Tomcat web server on windows server platform for an application called Business Objects XI. Yikes. Patching Microsoft Windows will be more important than patching Tomcat from the vulnerabilities I've seen from both. 1) What is the best procedure/practice to keep Tomcat up-to-date with patches? That depends on your existing patching procedures. 2) How frequently does Tomcat releases patches/updates and how critical it is for an internal application? Tomcat rarely releases patches per se. New versions are sometimes released to fix non-security-related as well as security-related bugs. These are also relatively rare. 3) Does Tomcat have any built in tool/feature to download and update patches automatically? No. You'll have to watch the lists for updates and then test and deploy them yourself. Please let me know if you know any other easy option/solution for Tomcat Patch Management. I would ask your NOC what they do for Microsoft Windows updates. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjJULUACgkQ9CaO5/Lv0PBDDgCcCmhu5/tsnOmv4loCbBzmWjpc diwAn18ybgLsKg1ivtJNOfGcJTIcs8wy =0/ND -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Fw: Tomcat Patch Management
So, do you think Automatic windows patch management and manual tomcat patch management would ideal as patch releases from Tomcat is very rare? Yes, that's the way we do it. We use WSUS for Windows patch management, and manually upgrade Tomcat as needed. This has not been an issue for us, as Tomcat is only updated a few times per year, not once per month like Windows is. If your environment is standardized enough, you could probably build your own MSI installer for Tomcat to make the upgrade process even easier. I've not done this, but there are inexpensive tools that you can get to help you do it. Brian
Re: Tomcat Patch Management
Anand Gundanna wrote: Dear Support, I would request for your help in regards to Tomcat Patch Management. I hope you will be helpful in this regard. We have installed and configured an Tomcat web server on windows server platform for an application called Business Objects XI. Tomcat web servers will not be supported/maintained by our web services team as it is non strategic within our organisation. But still we have hosted the Tomcat servers as it is mandated by Business Objects application. Now the Tomcat Web server has been successfully installed and configured. We need to plan for Patch management for Tomcat. At the moment we do not have any external/third party tool to manage the patches automatically. So, could you please clarify the following queries.. 1) What is the best procedure/practice to keep Tomcat up-to-date with patches? There are no patches, only full releases. 2) How frequently does Tomcat releases patches/updates and how critical it is for an internal application? ~3 per year. How critical is your call. If it ain't broke... 3) Does Tomcat have any built in tool/feature to download and update patches automatically? Nope. Please let me know if you know any other easy option/solution for Tomcat Patch Management. There are commercial support provides that will provide simpler patch management options. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]