-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 David,
On 7/24/18 12:56 PM, David Babooram wrote: > Hey thanks. > > Before I go through your recommendations with a fine tooth comb, > do you think it will be there same amount of work trying to go > straight to the latest Apache version? Apache /what/ version? > I started thinking of this since your mentioned the vul. - -chris > On Tue, Jul 24, 2018 at 12:41 PM -0400, "Christopher Schultz" > <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> > wrote: > > > David, > > On 7/24/18 10:54 AM, David Babooram wrote: >> I will try to be as clear as possible. > > :) > >> The files that were originally in >> /usr/local/tomcat/jakarta-tomcat-5.5.17/webapps/MYAPP/WEB-INF/lib >> >> were copied by default when I migrated the app to >> /usr/local/tomcat/apache-tomcat-6.0.53/webapps/ > > Good, that's what you probably should have done. > >> When I ran MYAPP I got the error from my previous email. > >> I then mv all the files from >> /usr/local/tomcat/apache-tomcat-6.0.53/webapps/MYAPP/WEB-INF/lib >> into a temp directory , in attempt to make it use the global lib >> , but still the same error. > > Hmm. I'd expect lots of problems when removing all required > libraries from your application. > > Did you copy the "work" directory from the Tomcat 5.5 > installation? (I'm guessing not.) > >> My next idea was to place the files from >> /usr/local/tomcat/apache-tomcat-6.0.53/webapps/MYAPP/WEB-INF/lib >> into /usr/local/tomcat/apache-tomcat-6.0.53/lib , but with the >> new structure I am unsure what belongs where. > > Definitely undo that... it's likely to break your Tomcat > installation. You should basically never add anything other than > maybe a JDBC driver to your CATALINA_BASE/lib directory. Definitely > nothing application-specific. > > I'd recommend removing all the files from CATALINA_BASE/lib and > re-extracting the distro package you downloaded just to reset > things back to the way they were. > >> FYI : in my original >> /usr/local/tomcat/jakarta-tomcat-5.5.17/common I have the >> following directories > >> classes endorsed i18n lib > > > > >> activation.jar antlr-2.7.2.jar > > I think something got lost in the copy/paste. If you had files in > the "common" loader in Tomcat 5.5 then you might have a bit of > work figuring out which files are required by the application and > which are expected to be supplied by the container (Tomcat). > > I'm going to attempt to group these files into 2 categories: > things that ought to be in your web application's WEB-INF/lib > directory and which files should be ignored (because Tomcat and/or > the JVM should be supplying them). Here goes: > > 1. Files supplied by the JVM and/or Tomcat (and should be ignored > from your old installation): > >> activation.jar (Modern JVMs supply this) >> el-api-2.2.1-b04.jar (Tomcat is required to supply the EL >> APIs) > > 2. Files that ought to be in WEB-INF/lib in your application: > >> antlr-2.7.2.jar axis-ant.jar axis.jar bsf-2.3.0.jar >> commons-beanutils-1.8.0.jar commons-chain-1.2.jar >> commons-codec-1.3.jar commons-collections.jar >> commons-dbcp-1.2.1.jar commons-digester-1.8.jar >> commons-discovery-0.2.jar commons-fileupload-1.1.1.jar >> commons-io-1.1.jar commons-lang.jar commons-logging-1.0.4.jar >> commons-pool-1.2.jar commons-validator-1.3.1.jar edtftpj.jar >> ibatis-common-2.jar ibatis-dao-2.jar ibatis-sqlmap-2.jar >> invoice-generator.jar itext-1.3.jar iText-2.1.0.jar >> j2ssh-ant-0.2.9.jar j2ssh-common-0.2.9.jar j2ssh-core-0.2.9.jar >> j2ssh-daemon-0.2.9.jar jakarta-oro.jar jaxrpc.jar >> jsch-0.1.20.jar jstl-1.0.2.jar jstl-1.2.jar junit.jar >> log4j-1.2.11.jar mailapi.jar ojdbc14.jar oro-2.0.8.jar >> poi-2.5.1-final-20040804.jar quartz.jar saaj.jar smtp.jar >> standard-1.0.6.jar stringtemplate.jar struts-core-1.3.10.jar >> struts-el-1.3.10.jar struts-extras-1.3.10.jar >> struts-faces-1.3.10.jar struts-mailreader-dao-1.3.10.jar >> struts-scripting-1.3.10.jar struts-taglib-1.3.10.jar >> struts-tiles-1.3.10.jar wsdl4j-1.5.1.jar xmlrpc-2.0.jar > > 3. Wait, there is another category. You appear to have some > conflicts in your existing libraries: > >> jstl-1.0.2.jar jstl-1.2.jar > > and >> jakarta-oro.jar oro-2.0.8.jar > > If those files have the same classes in each of them, you might be > looking at some problems. Check the contents to see if they are > distinct or if you have duplicate libraries. > > 4. Things you might want to look into. > >> mailapi.jar > > Is that javamail? > >> smtp.jar > > Is that *also* javamail? > >> ojdbc14.jar > > Is that the Oracle JDBC driver? If the container (Tomcat) is > managing your connection-pool, then you'll want to put this file > into CATALINA_BASE/lib and *nowhere else*. > >> junit.jar > > Are you sure you need the junit runtime in your running > application? My guess is "no" and you might want to see if things > still work is you remove this. But it can wait until later. > > Finally (and I say this as a proud Apache Struts 1.x user) it's > important that you understand that (a) Apache Struts 1.x has > reached EOL and (b) there are unpatched, publicly-reported > security vulnerabilities in the version you are using (1.3.10). You > should really research those vulnerabilities and make sure that you > have mitigated them all, or you risk exposing your users and > servers to exploitation. > > Hope that helps, -chris > >> -----Original Message----- From: Christopher Schultz >> [mailto:ch...@christopherschultz.net] Sent: Monday, 23 July 2018 >> 2:29 PM To: users@tomcat.apache.org Subject: [EXTERNAL] Re: >> Tomcat 5.5.17 migration to 6.0.53 > >> David, > >> On 7/23/18 12:51 PM, David Babooram wrote: >>> Hello > >>> I have begun a migration from 5.5 to 6. Yes I know 6 is EOL >>> but the migration from 5.5 to 6 has some more documentation >>> compared to 5.5 to the latest version. > >>> I followed the standard migration of libs and classes from >>> /common /shared etc to the new /lin directory for 6.. > >>> The server engine runs and I can see the examples web pages >>> come up. > >>> When I migrated my production webapps to the 6.0 instance >>> however I get the following error. > >>> HTTP Status 500 - java.lang.LinkageError: loader constraint >>> violation: when resolving interface method >>> "javax.servlet.jsp.JspApplicationContext.getExpressionFactory()Ljava x > >>> / > >>> > el/ExpressionFactory;" > > >> the class loader (instance of >> org/apache/jasper/servlet/JasperLoader) >>> of the current class, org/apache/jsp/index_jsp, and the class >>> loader (instance of >>> org/apache/catalina/loader/StandardClassLoader) for resolved >>> class, javax/servlet/jsp/JspApplicationContext, have different >>> Class objects for the type javax/el/ExpressionFactory used in >>> the signature > >>> Any insight on this is welcomed. > >>> I notice in that my app has its own lib directory, does this >>> means that there is a conflict with the lib files from the >>> base directory ? > >> Possibly. What files do you have in your app's WEB-INF/lib >> directory? > >> -chris > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> ________________________________ > >> Notice of Confidentiality: > >> The information contained in this communication is intended >> solely for the use of the individual or entity to whom it is >> addressed and others authorized to receive it. It may contain >> confidential or legally privileged information. If you are not >> the intended recipient you are hereby notified that any >> disclosure, copying, distribution or taking any action in >> reliance on the contents of this information is strictly >> prohibited and may be unlawful. If you have received this >> communication in error, please notify us immediately by >> responding to this email and then delete it from your system. > >> --------------------------------------------------------------------- > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltYeosACgkQHPApP6U8 pFi6Bw/9Eb48b9evt2ALtv/abY3+41mnfyLTjpjUlGCLAU/rRxYOJbX/CMC0TBRM 4VFohsTUlSj5DObWsN0MQJvJN1oBfUc8OJAaUrMJcfYpDsW48AAbuFevf3mjgLzC yGuLR03PQ+EK1s/uv/jxGnbkkIpVdxzNafAdBdk7zByVzrca0+vKIP4IZswy4Vbr HNBYGS4nZXhWV50NN8YsixXWvI79ONkyOl7ShO4YODppQRN+W3rHU0oYYFqpgfED 0juux5ehdIOz9HaW9n/k653zRQllZYhQFpgv67rXpNDYdYs25Diwiz2SRzKmLLln qiUzB7ZkuYxj1ST15fBc6KAvQ1OH8FCIqndkgxMAe3uCWFW+OLCU4Di745qKzfPh VA9ABpqeWFAGmAQWCmc6cPBvm0j9RB1kAOqAIJOyCHzvSqUcJ100tCcDaiSeKksV ftwuZZz9EYAj2mOCmwOruDOlSUqQ/hxrkDkjT21npd79brDwbvSXtUTXfVAuEH/o MGktMcNZXdz5oCjVmoGLsMc4ppynevB6ox54F4UqO/zw5esRteWN2q8r46PknfGV HTFbTo+x+xf8acsaMoVQ06FvoxPXFxrUc9noa25G0EHJ6QPa8h3q88EVxZaOJi5y fDaLceIKxYdtc3wxpm8hrQNhKsUmLFdRvcnHsmbmv4EW2UwLkzg= =Z5zW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
