Hello, I'd like to know what I should upgrade - tomcat or apache httpd?
CVE pointed out that some of the Tomcat versions on Linux have vulnerability. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729 I have opentaps 1.0.3(include tomcat 5.5.20) version running on apache 2.2.3 by using mod_jk. Do you think I need to upgrade tomcat or apache? It's little bit difficult to upgrade opentaps version itself. It might not be so difficult to upgrade both, but I'd like to make sure what's real problem before taking next step. My doube is, if tomcat is being used through mod_jk, then, the tomcat version itself might not be matter. And this mean I do not need to upgrade tomcat, but rather need to upgrade apache httpd which would be the interface of the server. According to CVE posting, it says I need to upgrade to tomcat which include vulnerable version of jsvc. Thus I need to upgrade to jsvc 1.0.7 or later(I guess it's being used in tomcat & apache both). But I couldn't find what version of jsvc is being used on apache httpd 2.2.3. So I'm not sure I need to upgrade apache httpd itself as well or not. Any help would be appreciated. Thank you for reading. Thank you. Soon-Won Park
