Re: Hints on upgrading from 6.0.14 to 6.0.18 on production server

2008-12-29 Thread Gregor Schneider 
If I'm not mistaken, the APR has caused the bug, and 6.0.16 contains a
new version of the APR. Since this usually comes as a source, you'll
have to re-compile the APR.

Cheers

Gregor
-- 
just because your paranoid, doesn't mean they're not after you...
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Hints on upgrading from 6.0.14 to 6.0.18 on production server

2008-12-29 Thread Alan Chaney 

Or stop using APR...

but that in itself is quite a lot of work as I'll have to reconfigure my 
SSL.


Hmm...



Gregor Schneider wrote:

If I'm not mistaken, the APR has caused the bug, and 6.0.16 contains a
new version of the APR. Since this usually comes as a source, you'll
have to re-compile the APR.

Cheers

Gregor


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Hints on upgrading from 6.0.14 to 6.0.18 on production server

2008-12-29 Thread Brian Clark 
The only thing we found when going from 6.0.16 to 6.0.18 was an issue with some 
of our JSP's. The fix is described by jroller here:
http://www.searchfull.net/1289260.html

Since I had a real hard time getting to this website, I'll copy and paste the 
article here


Tomcat 6.0.18 includes a fix for JSP specification compliance as described in 
Bug #45015. Unfortunately, that means a lot of your JSPs will fail with the 
following exception: 
org.apache.jasper.JasperException:
/WEB-INF/jsp/myPage.jsp(44,72) Attribute value some java
scriplet is quoted with  which must be escaped when used within
the value
While I haven't found a way to automatically fix them, you can at least find 
all of your JSPs ( *.jsp*) in need of an update with the following regular 
expression (take a deep breath): 

\w+:[^]+=[^]*%=[^%]*|\w+:[^]+='[^']*%=[^%]*'


Enjoy,
Brian





From: Alan Chaney a...@compulsivecreative.com
To: Tomcat Users List users@tomcat.apache.org
Sent: Monday, December 29, 2008 11:54:56 AM
Subject: Hints on upgrading from 6.0.14 to 6.0.18 on production server

Hi

I have a 6.0.14 running with Apr 1.1.10 and I seem to be seeing instances of 
CVE-2007-6286: Tomcat duplicate request processing vulnerability

(64-Bit Server VM (build 1.6.0_03-b05, mixed mode)
(Centos 5.0 - Linux 2.6.18-8.el5  x86_64 )


The obvious thing to do is to upgrade from 6.0.14 to 6.0.18. Firstly, are there 
any changes in server.xml and web.xml in 6.0.18 that mean I can't just use the 
existing ones in the new installation.

My current installation has $TOMCAT_HOME pointing to /usr/local/tomcat

My intended upgrade sequence is:

1. opy down 6.0.18 and untar it int /usr/local/tomcat18 (after checking 
signatures)

2. copy over the jars that I have placed in the old $TOMCAT_HOME/lib (eg 
postgres jdbc jar) to /usr/local/tomcat18/lib

3. copy over my webapp wars from $TOMCAT_HOME/webapps to the new webapps folder.

4. as I am using jsvc to control tomcat, copy over the 'tomcat' file from the 
$TOMCAT_HOME ('tomcat' is actually a shell script which sets up
all the environment variables for jsvc.) jsvc is in /usr/lib/tcnative/jsvc so 
it should be unaffected by the move. However
I do need to copy over the $TOMCAT_HOME/bin/commons-daemon.jar.

5. stop the old server and rename its directory to /usr/local/tomcat.old

6. rename the directory of the new server to that of the current the new server.

7. restart the server.


Am I missing anything? What have I overlooked? I need this to go as smoothly as 
possible as there is quite a lot of traffic on this site.

Thanks in advance

Alan Chaney


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org