Re: Patch information required
kanishk.se...@accenture.com wrote: Hi All, We are using Apache tomcat version 6.0.26 bundled with Jasper soft 5.0 server and we need to install below patches on our servers to fix some Vulnerabilities. http://svn.apache.org/viewvc?view=revisionrevision=958911 http://svn.apache.org/viewvc?view=revisionrevision=958977 http://svn.apache.org/viewvc?view=revisionrevision=959428 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151 http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584actionBtn=Search I am not sure how to install these patches can anyone help us here. Note: We cannot upgrade to new version. So we need the steps to install the above patches. Let's maybe first rectify the above statement : technically, you certainly /can/ install new versions. Whether the internal rules of your organisation allow this, is another question altogether, which has to be answered by your organisation. As far as I know, Tomcat does not distribute patches. It publishes new versions, which include a number of enhancements and fixes, such as the ones from SVN which you mention above. And it highly recommends to keep your Tomcat version current and use the latest published version, which would include the above changes and probably also fix other issues which you haven't yet noticed. The latest 6.x version of Tomcat is here : https://tomcat.apache.org/download-60.cgi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Patch information required
André Warnier wrote: kanishk.se...@accenture.com wrote: Hi All, We are using Apache tomcat version 6.0.26 bundled with Jasper soft 5.0 server and we need to install below patches on our servers to fix some Vulnerabilities. http://svn.apache.org/viewvc?view=revisionrevision=958911 http://svn.apache.org/viewvc?view=revisionrevision=958977 http://svn.apache.org/viewvc?view=revisionrevision=959428 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151 http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584actionBtn=Search I am not sure how to install these patches can anyone help us here. Note: We cannot upgrade to new version. So we need the steps to install the above patches. Let's maybe first rectify the above statement : technically, you certainly /can/ install new versions. Whether the internal rules of your organisation allow this, is another question altogether, which has to be answered by your organisation. As far as I know, Tomcat does not distribute patches. It publishes new versions, which include a number of enhancements and fixes, such as the ones from SVN which you mention above. And it highly recommends to keep your Tomcat version current and use the latest published version, which would include the above changes and probably also fix other issues which you haven't yet noticed. The latest 6.x version of Tomcat is here : https://tomcat.apache.org/download-60.cgi Addendum : The last link which you mention (juniper) leads to a page which clearly indicates that these issues have been resolved by a new release of this vendor's product, which includes a new major version of Tomcat. Did you even read it ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Patch information required
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Kanishk, Try reading the responses you got on the 28th and 29th. If you have further questions, post them as a follow-up to the original thread. - -chris On 12/2/13, 4:26 AM, kanishk.se...@accenture.com wrote: Hi All, We are using Apache tomcat version 6.0.26 bundled with Jasper soft 5.0 server and we need to install below patches on our servers to fix some Vulnerabilities. http://svn.apache.org/viewvc?view=revisionrevision=958911 http://svn.apache.org/viewvc?view=revisionrevision=958977 http://svn.apache.org/viewvc?view=revisionrevision=959428 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151 http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584actionBtn=Search I am not sure how to install these patches can anyone help us here. Note: We cannot upgrade to new version. So we need the steps to install the above patches. Regards Kanishk Sethi This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. . __ www.accenture.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSnLXmAAoJEBzwKT+lPKRYBKsP/ihOBqpLQjeFQQt8EIFtJuV9 g8BtjXpbFoT2cAQqTifa3clb1ymj1DqzzV6KrR62U0i+0StsrIH+zHOZdrvJdF2e bvPSXph62k1p4qwyUUn2zxgzq9tI9nHCCJg/GTXLMqwHeiS5jG1udsZ83fDQey4K auJ+3exJBRz+W+8XcBrEfpMD5y1KFexY4aKq8Ad/dfChtFeynNQPlNqLoLFkk7Wh PMN3BNAMhECiuevqq0nvEZiCKhOMgh8pp25Ws1JBdrjl8urSGkZmZADzNkMRpn/C K/Y8J0VaSLXs03xl3EU+rRE6kAUXptsywQFCt561f1NSUvyKNUMUd5Qrt57fCHG7 9dIeeX2ZsUhprOL/AbelTqwxT73dq0+GdQrq3B7MNwxejDis2HMwNNrTwjecD4LA dkuR+jmCg/drT8UlyS1oQueJY572nE4z0YmV8quIzjQCv0TOYr795mQ3FZJ3dMWj kIFAssKQau8TAJ9JLzJjsWmTT5QxWaVYvky2Hw91kY6bRm4i5mgZe0xDW4ewv4o8 /Qn86o2xPJDn8yroIcH3fXrUJV8aBWiBXwZGxLBeH9h8k/w6Zez9MFXDsWlhB4I4 AkzkYQnIGB1ajKVth4crRfkGb8G1PfOR8RpUVMai03VBNsMNwB7sYDtFmMHgjZkc Yg5gQ3neUk7O6FvdwvGF =R1b2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Patch information required
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ben, On 11/28/13, 2:49 AM, Ben Stringer wrote: On 28 Nov 2013, at 6:14 pm, pravin.pa...@accenture.com wrote: Hi Ben, Thanks for your comment. We are using tomcat bundle which comes with JasperReports Server (v5.1.0). Can you upgrade to 5.5? This uses Tomcat 7. Likely to have many of your patches covered. Upgrading a bundled Tomcat would require you taking on some testing effort, and may affect your product support from the vendor. Safer to follow the vendors upgrade path. JasperReports Server is not significantly tied to the version of Tomcat on which it is bundled. I recently set up a JRS server by downloading their WAR installer and just installed it myself onto whatever version I wanted (Tomcat 7 at the time). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSmR7tAAoJEBzwKT+lPKRYTUAP/3cBAB24MPjdbEHNmHdiE9Tp 7/waSHo4hjWFAc0o5M0od7rdm4P9As2avZfVqMTnk6jVlfTvC9y/NQ1Ojm4/aw9h g/dinfXgte6DIEDIusbKI5Hb7O75vYT+yFrCfEBg2W9ggKEUH9ScmXR/2piVkHKX KdaX0kclqfX1xrmFw6FDljcqkC+s1Hoq5V9fFLHOtTLVdKhgcQMbHvmltFIs4VCJ sAZs1ZndORUqNXlbc3C1/xM2Tlsc/WvqzMsHLP6cqZhfEGJNoZX0NbAuNSXWi8IA du2n1HcpadcEYlk0SnskmK7w+m+2zJVvaIj1HDLzXaaiJSpo9gK/TJdN5OgYhEdV zWpOT17n6ixP9+o/FxOWG/zCYWM0hOrxYLltps5XLfYjaIL9rBWASzxXn7GezZpo L/qkgH4ut55FXrbl1iBIihU9i7DLT6AEIo8+BDtpLoAUyG7NFXO1IY1hfuIIhRtU S52tUgfAQhFX0mKlLNCRJaSD0izVxWdQQNikVFqPBvRjnHpSsAlVuIdpXII+WP7h 2CrtVBWOAmLG2DhBpevlpQOIT4u5lXfTfrfvS1heARfB/JFg68u+XCtKkzXEoQgg d19uzH/2SWSzBgcL93ne3kIqXBwFUesZEfSRlyZeSzlKRYttYrKXjI3DtQ54X65S QpaKqYU1xPu+6jNh7hfQ =jQVS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Patch information required
On 28 Nov 2013, at 6:14 pm, pravin.pa...@accenture.com wrote: Hi Ben, Thanks for your comment. We are using tomcat bundle which comes with JasperReports Server (v5.1.0). Can you upgrade to 5.5? This uses Tomcat 7. Likely to have many of your patches covered. Upgrading a bundled Tomcat would require you taking on some testing effort, and may affect your product support from the vendor. Safer to follow the vendors upgrade path. Cheers, Ben Can you provide any alternative way to install the below mentioned patches without upgrading it to the latest version. We are not sure that upgrading to the latest version will affect our application server or not. Thanks, Pravin Pawar -Original Message- From: Ben Stringer [mailto:b...@burbong.com] Sent: Thursday, November 28, 2013 12:06 PM To: Tomcat Users List Cc: Pawar, Pravin Subject: Re: Patch information required On Thu, November 28, 2013 5:15 pm, kanishk.se...@accenture.com wrote: Hi All, Hi Kanishhk, We are using Apache tomcat version 6.0.26 and we need to install below patches on our servers to fix some Vulnerabilities. http://svn.apache.org/viewvc?view=revisionrevision=958911 http://svn.apache.org/viewvc?view=revisionrevision=958977 http://svn.apache.org/viewvc?view=revisionrevision=959428 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID =c03298151 http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05 -584actionBtn=Search Is the Apache tomcat instance you are using bundled with the applications above (from HP, Juniper)? If so, you should get an updated release from those vendors, as they should have bundled a higher version of Tomcat that resolves the issues. You can cross-check your list of CVE vulnerabilities against Tomcat versions at this page: http://tomcat.apache.org/security.html Looks like 6.0.37 is the latest version of Tomcat 6. Cheers, Ben This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. . __ www.accenture.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Patch information required
I will contact all the engineers i know who want to work free for Accenture Auf 'Wiedersehn __ Verzicht und Vertraulichkeitanmerkung Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. From: kanishk.se...@accenture.com To: users@tomcat.apache.org CC: pravin.pa...@accenture.com Subject: Patch information required Date: Thu, 28 Nov 2013 06:15:27 + Hi All, We are using Apache tomcat version 6.0.26 and we need to install below patches on our servers to fix some Vulnerabilities. http://svn.apache.org/viewvc?view=revisionrevision=958911 http://svn.apache.org/viewvc?view=revisionrevision=958977 http://svn.apache.org/viewvc?view=revisionrevision=959428 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151 http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584actionBtn=Search I am not sure how to install these patches can anyone help us here. Regards Kanishk Sethi This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. . __ www.accenture.com
Re: Patch information required
On Thu, November 28, 2013 5:15 pm, kanishk.se...@accenture.com wrote: Hi All, Hi Kanishhk, We are using Apache tomcat version 6.0.26 and we need to install below patches on our servers to fix some Vulnerabilities. http://svn.apache.org/viewvc?view=revisionrevision=958911 http://svn.apache.org/viewvc?view=revisionrevision=958977 http://svn.apache.org/viewvc?view=revisionrevision=959428 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151 http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584actionBtn=Search Is the Apache tomcat instance you are using bundled with the applications above (from HP, Juniper)? If so, you should get an updated release from those vendors, as they should have bundled a higher version of Tomcat that resolves the issues. You can cross-check your list of CVE vulnerabilities against Tomcat versions at this page: http://tomcat.apache.org/security.html Looks like 6.0.37 is the latest version of Tomcat 6. Cheers, Ben - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Patch information required
On 28/11/2013 06:36, Ben Stringer wrote: On Thu, November 28, 2013 5:15 pm, kanishk.se...@accenture.com wrote: Hi All, Hi Kanishhk, We are using Apache tomcat version 6.0.26 and we need to install below patches on our servers to fix some Vulnerabilities. http://svn.apache.org/viewvc?view=revisionrevision=958911 http://svn.apache.org/viewvc?view=revisionrevision=958977 http://svn.apache.org/viewvc?view=revisionrevision=959428 http://h2.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151 http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584actionBtn=Search Is the Apache tomcat instance you are using bundled with the applications above (from HP, Juniper)? If so, you should get an updated release from those vendors, as they should have bundled a higher version of Tomcat that resolves the issues. +1. Both the HP page and the Juniper page provide details of how to obtain an updated version of their respective products that includes the fixes. If you really want to do this by hand (not recommended) then the starting point is downloading the 6.0.26 src distribution or checking out the 6.0.26 tag and building from source. You can cross-check your list of CVE vulnerabilities against Tomcat versions at this page: http://tomcat.apache.org/security.html Looks like 6.0.37 is the latest version of Tomcat 6. It is. And there are quite a few vulnerabilities fixed since 6.0.26. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org