Re: Fw: Tomcat Patch Management

2008-09-12 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Anand,

Anand Gundanna wrote:
 So, do you think Automatic windows patch management and manual tomcat
 patch management would ideal as patch releases from Tomcat is very rare?

Yes. Given that you have to test the hell out of your application
whenever you switch application servers, you wouldn't want to do it in
an automated way, anyway.

- -chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjKpXYACgkQ9CaO5/Lv0PCYhwCfdnDxtkXAdlOOX9+ZYr1R2HM5
JRYAoK7FrtWc3a44q9JcKvmTZwCw8/iA
=3oJH
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Fw: Tomcat Patch Management

2008-09-11 Thread Anand Gundanna
Hello,

Can someone help me please.. i haven't got the answer for my query yet.. 
please.

Best Regards,
Anand G
NU UK ITS Architecture and Design
Floor 7, Norfolk Tower, Norwich
Phone - 01603 838398
- Forwarded by Anand Gundanna/TCS/NUI/NORWICHUNION on 11/09/2008 16:38 
-

Anand Gundanna/TCS/NUI/NORWICHUNION 
11/09/2008 12:04


To
users@tomcat.apache.org
cc

Subject
Tomcat Patch Management





Dear Support,

I would request for your help in regards to Tomcat Patch Management. I 
hope you will be helpful in this regard. 

We have installed and configured an Tomcat web server on windows server 
platform for an application called Business Objects XI. Tomcat web servers 
will not be supported/maintained by our web services team as it is non 
strategic within our organisation. But still we have hosted the Tomcat 
servers as it is mandated by Business Objects application. 

Now the Tomcat Web server has been successfully installed and configured. 
We need to plan for Patch management for Tomcat. At the moment we do not 
have any external/third party tool to manage the patches automatically. 
So, could you please clarify the following queries..

1) What is the best procedure/practice to keep Tomcat up-to-date with 
patches?

2) How frequently does Tomcat releases patches/updates and how critical it 
is for an internal application?

3) Does Tomcat have any built in tool/feature to download and update 
patches automatically? 

Please let me know if you know any other easy option/solution for Tomcat 
Patch Management. 

Best Regards,
Anand G
NU UK ITS Architecture and Design
Floor 7, Norfolk Tower, Norwich
Phone - 01603 838398
Norwich Union is the trading name for the principal subsidiaries
of the Aviva Group in the United Kingdom.  The principal
subsidiaries are:

Norwich Union Insurance Limited

Norwich Union Insurance Limited. 
Registered Office 8 Surrey Street, Norwich, Norfolk NR1 3NG.
Registered in England Number 99122.
Norwich Union Direct is a trading name of Norwich Union
Insurance Limited. Authorised and regulated by the Financial
Services Authority. 

Norwich Union Life Services Limited

Norwich Union Life Services Limited. 
Registered Office 2 Rougier Street, York YO90 1UU. 
Registered in England Number 2403746. A member of the
Norwich Union Marketing Group which is authorised and
regulated by the Financial Services Authority. 

Norwich Union Healthcare Limited

Norwich Union Healthcare Limited.
Registered Office 8 Surrey Street, Norwich, Norfolk NR1 3NG.
Registered in England Number 2464270. Authorised and
regulated by the Financial Services Authority. 

**
This email and any files sent with it are intended only for the named
recipient. If you are not the named recipient please telephone/email
the sender immediately. You should not disclose the content or
take/retain/distribute any copies.
**

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Fw: Tomcat Patch Management

2008-09-11 Thread Anand Gundanna
Chris,

Thanks for your response.. 

Currently we are managing Windows Patch management through a application 
called BIGFIX. But that will not be used to manage for any other 
application purpose. 

So, do you think Automatic windows patch management and manual tomcat 
patch management would ideal as patch releases from Tomcat is very rare?

Best Regards,
Anand G
NU UK ITS Architecture and Design
Floor 7, Norfolk Tower, Norwich
Phone - 01603 838398



Christopher Schultz [EMAIL PROTECTED] 
11/09/2008 18:09
Please respond to
Tomcat Users List users@tomcat.apache.org


To
Tomcat Users List users@tomcat.apache.org
cc

Subject
Re: Fw: Tomcat Patch Management






-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Anand,

Anand Gundanna wrote:
 We have installed and configured an Tomcat web server on windows server
 platform for an application called Business Objects XI.

Yikes. Patching Microsoft Windows will be more important than patching
Tomcat from the vulnerabilities I've seen from both.

 1) What is the best procedure/practice to keep Tomcat up-to-date with
 patches?

That depends on your existing patching procedures.

 2) How frequently does Tomcat releases patches/updates and how critical
 it is for an internal application?

Tomcat rarely releases patches per se. New versions are sometimes
released to fix non-security-related as well as security-related bugs.
These are also relatively rare.

 3) Does Tomcat have any built in tool/feature to download and update
 patches automatically?

No. You'll have to watch the lists for updates and then test and deploy
them yourself.

 Please let me know if you know any other easy option/solution for Tomcat
 Patch Management.

I would ask your NOC what they do for Microsoft Windows updates.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjJULUACgkQ9CaO5/Lv0PBDDgCcCmhu5/tsnOmv4loCbBzmWjpc
diwAn18ybgLsKg1ivtJNOfGcJTIcs8wy
=0/ND
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Norwich Union is the trading name for the principal subsidiaries
of the Aviva Group in the United Kingdom.  The principal
subsidiaries are:

Norwich Union Insurance Limited

Norwich Union Insurance Limited. 
Registered Office 8 Surrey Street, Norwich, Norfolk NR1 3NG.
Registered in England Number 99122.
Norwich Union Direct is a trading name of Norwich Union
Insurance Limited. Authorised and regulated by the Financial
Services Authority. 

Norwich Union Life Services Limited

Norwich Union Life Services Limited. 
Registered Office 2 Rougier Street, York YO90 1UU. 
Registered in England Number 2403746. A member of the
Norwich Union Marketing Group which is authorised and
regulated by the Financial Services Authority. 

Norwich Union Healthcare Limited

Norwich Union Healthcare Limited.
Registered Office 8 Surrey Street, Norwich, Norfolk NR1 3NG.
Registered in England Number 2464270. Authorised and
regulated by the Financial Services Authority. 

**
This email and any files sent with it are intended only for the named
recipient. If you are not the named recipient please telephone/email
the sender immediately. You should not disclose the content or
take/retain/distribute any copies.
**

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Fw: Tomcat Patch Management

2008-09-11 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Anand,

Anand Gundanna wrote:
 We have installed and configured an Tomcat web server on windows server
 platform for an application called Business Objects XI.

Yikes. Patching Microsoft Windows will be more important than patching
Tomcat from the vulnerabilities I've seen from both.

 1) What is the best procedure/practice to keep Tomcat up-to-date with
 patches?

That depends on your existing patching procedures.

 2) How frequently does Tomcat releases patches/updates and how critical
 it is for an internal application?

Tomcat rarely releases patches per se. New versions are sometimes
released to fix non-security-related as well as security-related bugs.
These are also relatively rare.

 3) Does Tomcat have any built in tool/feature to download and update
 patches automatically?

No. You'll have to watch the lists for updates and then test and deploy
them yourself.

 Please let me know if you know any other easy option/solution for Tomcat
 Patch Management.

I would ask your NOC what they do for Microsoft Windows updates.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjJULUACgkQ9CaO5/Lv0PBDDgCcCmhu5/tsnOmv4loCbBzmWjpc
diwAn18ybgLsKg1ivtJNOfGcJTIcs8wy
=0/ND
-END PGP SIGNATURE-

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Fw: Tomcat Patch Management

2008-09-11 Thread Brian Clark
So, do you think Automatic windows patch
management and manual tomcat patch management would ideal as patch releases
from Tomcat is very rare?

Yes, that's the way we do it. We use WSUS for Windows patch management, and 
manually upgrade Tomcat as needed. This has not been an issue for us, as Tomcat 
is only updated a few times per year, not once per month like Windows is. If 
your environment is standardized enough, you could probably build your own MSI 
installer for Tomcat to make the upgrade process even easier. I've not done 
this, but there are inexpensive tools that you can get to help you do it. 

Brian