On May 8, 2013, at 1:17 PM, suresh babu yella wrote: > Hi Dan, > > We might consider for upgrading the tomcat later, due to to supportability > concerns from Autonomy we cannot upgrade it to any of the higher version.
I don't know that vendor, but it sounds like you might need to have a conversation with them and see what is taking them so incredibly long (6.0.18 was released in Jul 2008) to upgrade. > > but right now we are looking to apply the fix for all CVE's we identified, > it will be great if you can let me know the procedure. Each of the security issues that have been fixed are documented at the link you included. http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities You might be able to go through and apply mitigations for each of them, but that's going to be a long and tedious process. This is why you should really consider upgrading. That will bring everything up-to-date in one step. Dan > > Thanks > Suresh > > > On Wed, May 8, 2013 at 10:11 AM, Daniel Mikusa <dmik...@gopivotal.com>wrote: > >> On May 8, 2013, at 12:11 PM, suresh babu yella wrote: >> >>> We are using tomcat 6.0.18 and we found below number of Common >>> Vulnerabilities and Exposures (CVE). >> >> Not surprising given the version that you are using. Latest version is >> 6.0.37. >> >>> >>> High Vulns: 98 >>> >>> Medium Vulns: 50 >>> >>> Low Vulns: 6 >>> We cannot upgrade/patch any of those components due to supportability >>> concerns from Autonomy. >>> >>> How can I apply a fix for all the CVE, I see the build instructions in >>> below link but I was looking for applying the fixes without upgrade. >> >> You should really consider upgrading. Why are you so opposed to upgrading? >> >> Dan >> >>> >>> Security - >>> >> http://tomcat.apache.org/security-6.html#Apache_Tomcat_6.x_vulnerabilities >>> Build Instructions - >> http://tomcat.apache.org/tomcat-6.0-doc/building.html >>> >>> >>> Thanks >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org