Hello all, A slight change. After discussions , the production team in SIngapore wants us to go for upgrade to 4.1.40 Comments from tomcat forum responses: 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. Now i feel the vulnerability is fixed in this version. Now installing tomcat 4.1.40 what all changes will be required in my sevice..
no change in application? maybe installation and configuration changes will be needed? change needed in logging? should i stop the tomcat 4 service running and then install this new tomcat 4.1.40? Please help --- On Wed, 12/8/09, Christopher Schultz <ch...@christopherschultz.net> wrote: From: Christopher Schultz <ch...@christopherschultz.net> Subject: Re: avoiding ssl vulnerabilities in tomcat To: "Tomcat Users List" <users@tomcat.apache.org> Date: Wednesday, 12 August, 2009, 8:15 PM -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sunil, On 8/12/2009 3:12 AM, sunil chandran wrote: > The issue is SSL vulnerability. from the responses, i understood that > i need to upgrade to tomcat latest version. As per the team, it is > recommended to go for Tomcat 5 in our environment. With all due respect to your team, I think they are making a mistake. Either of these are better choices in my opinion: 1. Upgrade to the latest version of 4.1.x, which is 4.1.40. This will provide the least headache because you will be staying on your current Tomcat version, just improving your patch level. Plan to upgrade to a newer release of Tomcat in the future. 2. Upgrade directly to Tomcat 6 without making a stop at Tomcat 5.5. If you are going to upgrade major versions, there is absolutely no reason for you to go to Tomcat 5.5, which will eventually have support dropped just like Tomcat 4.1 did. > my quesiton is: Is this vulernability solved in tomcat 5 version? Sheesh. Did you read the CVE description? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1858 It clearly says that Tomcat 5.5 is vulnerable through 5.5.17 (which is inaccurate: the fix for this is documented to be in 5.5.17). Make sure you are using a version later than that if you must use 5.5. Now, before you ask about what version of Tomcat 6 you need in order to avoid this vulnerability, let me help you: 1. Go to Tomcat's web site (http://tomcat.apache.org/) 2. Follow the link that says "Security" 3. Pick your major Tomcat version 4. Read the fixes. Each one mentions the CVE identifier, a description of the problem, the versions of Tomcat affected, and the version in which a fix appears. All this information is easy to find on the Tomcat web site. Please read the documentation before continuing to ask questions such as these. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqC1ZUACgkQ9CaO5/Lv0PCU0ACfRTpiCEBpHAPCHyU0zB9nEX7s ZSEAoJb6rG+4aQCzX2iyP9B3VqLODGFX =z6Bp -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org See the Web's breaking stories, chosen by people like you. Check out Yahoo! Buzz. http://in.buzz.yahoo.com/
