With all infrastructure components (Apache, Tomcat, etc.) that come bundled with software stacks I suggest maintaining the infrastructure separate from the actual applications. I look at the bundled components as a helper to get things easily deployed (for the purposes of a reference implementation, demos, etc.) but not as a production ready application stack. There are some vendors that only support their software on the bundled Tomcat/JBoss, etc., in my opinion, this is a horrible practice because they rarely (if ever) keep up with security related issues with the bundled infrastructure components.
If you look at the midtier patches (historically) have you ever seen one with patch files for the bundled Tomcat? If you look at the release cycle of Tomcat, how many times a year are security fixes released (search the pages for CVE)? http://tomcat.apache.org/tomcat-7.0-doc/changelog.html http://tomcat.apache.org/tomcat-6.0-doc/changelog.html http://tomcat.apache.org/tomcat-5.5-doc/changelog.html Or for the short list: http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html This is just my opinion based on my observations of common practices of software vendors en masse. I'm sure there are software vendors that maintain the full bundled application stack, but from my observations this is the exception rather than the norm. Just out of curiosity, can people post the version (major, minor) of Tomcat bundled with the mid-tier, esp. those that used the patch installer to build their mid-tier servers? Axton Grams The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. On Fri, Feb 18, 2011 at 11:45 AM, patrick zandi <remedy...@gmail.com> wrote: > ** but I am also reading that the only fix action is going to the tomcat > 7.08 or 6.0.32 ... only... > Anyone worked on this one.. > > On Fri, Feb 18, 2011 at 12:42 PM, patrick zandi <remedy...@gmail.com>wrote: > >> Wait I see it is pointing to /examples Didn't BMC delete that? I think >> they did.. so I guess it would not matter. >> >> >> >> On Fri, Feb 18, 2011 at 12:39 PM, patrick zandi <remedy...@gmail.com>wrote: >> >>> http://nvd.nist.gov/nvd.cfm?cvename=CAN-2002-0682 >>> >>> So this attach affects all tomcats 5, 6, 7 => does anyone know if it is >>> affecting their midtiers? >>> Also is BMC recommending this? or are they coming out with their own >>> patch? >>> >>> <insert Dave's answer here> >>> >>> Just wondering.. >>> -- >>> Patrick Zandi >>> >> >> >> >> -- >> Patrick Zandi >> > > > > -- > Patrick Zandi > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
