Hello Anne, Thank you for the valuable advice. Yea, I can start with upgrading httpd. I'm taking a look now actually. But I hope I could get the answer for the "gap" as well as you mentioned.
Thank you. Soon-Won On Mon, Oct 10, 2011 at 7:15 PM, Anne <[email protected]> wrote: > Apache only talks to mod_jk, not Tomcat, so the version of Apache you > need is whatever is compatible with your version of mod_jk. > > I use Debian Linux, so what I would do first is use Google to work out > whether the version of Tomcat I want to use requires a specific > version of mod_jk. If so, I would use Debian's apt-get to ensure I had > at least that version of mod_jk, and apt-get would automatically > ensure I had a compatible version of Apache. > > Of course, if you don't use a package manager such as apt-get, then > you'll have to read the release notes for the version you want to use. > However the documentation for these is usually pretty good at telling > you if there's some restriction with what version works with what. > > I suspect that doesn't answer all of your question, but hopefully it > gives you a starting point, and maybe someone else can fill in the > gaps. i don't use Apache/mod_jk these days, having switched to nginx. > > Cheers, > Anne. > > On 11 October 2011 01:22, Soon Won Park <[email protected]> wrote: >> Hello, >> >> I'd like to know what I should upgrade - tomcat or apache httpd? >> >> CVE pointed out that some of the Tomcat versions on Linux have >> vulnerability. >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729 >> >> I have opentaps 1.0.3(include tomcat 5.5.20) version running on apache >> 2.2.3 by using mod_jk. Do you think I need to upgrade tomcat or >> apache? It's little bit difficult to upgrade opentaps version itself. >> >> It might not be so difficult to upgrade both, but I'd like to make >> sure what's real problem before taking next step. >> >> My doube is, if tomcat is being used through mod_jk, then, the tomcat >> version itself might not be matter. And this mean I do not need to >> upgrade tomcat, but rather need to upgrade apache httpd which would be >> the interface of the server. According to CVE posting, it says I need >> to upgrade to tomcat which include vulnerable version of jsvc. Thus I >> need to upgrade to jsvc 1.0.7 or later(I guess it's being used in >> tomcat & apache both). But I couldn't find what version of jsvc is >> being used on apache httpd 2.2.3. So I'm not sure I need to upgrade >> apache httpd itself as well or not. >> >> Any help would be appreciated. Thank you for reading. >> >> Thank you. >> Soon-Won Park >> > > > > -- > Coherent Software Australia Pty Ltd > PO Box 2773 > Cheltenham Vic 3192 > Phone: (03) 9585 6788 > Fax: (03) 9585 1086 > Web: http://www.cohsoft.com.au/ > Email: [email protected] > > Bonsai ERP, the all-inclusive ERP system > http://www.bonsaierp.com.au/ >
