Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to install Tomcat 5.5.X security patch

Posted on 2009-04-07
4
Medium Priority
?
801 Views
Last Modified: 2013-12-02
Can someone give me instructions on how to apply a patch to Tomcat. I can't find any instructions on the web and there isn't a setup file for me to execute.
0
Comment
Question by:bbogle2007
  • 2
  • 2
4 Comments
 
LVL 29

Assisted Solution

by:Michael Worsham
Michael Worsham earned 2000 total points
ID: 24088506
Do you have a link to the patch so we can review it?

No note that most patches can only be applied to source code built deployments on Linux/UNIX platforms. If you downloaded Tomcat as a binary, then you will not be able to apply the patch code.

0
 

Author Comment

by:bbogle2007
ID: 24090002
Here's another part of my problem. . . . I downloaded 5.5.27 from http://tomcat.apache.org/download-55.cgi. I am using this for GroupWise Web Access 7.0.3. This patch was just released on 1-20-09, so you would figure Novell would give you the most up-to-date version and I think they did. Some of the folder dates are from today, which is when I upgraded Web Access agent.

After I upgraded Web Access we had a PCI vulnerability scan. The scan failed with this result

Apache Tomcat Calendar Application Cross-site Scripting Vulnerability

Description: The version of Tomcat running on this host includes an example calendar application. This application contains invalid HTML which renders the user input filtering for the 'time' parameter ineffective.  
 Note: All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.
Remediation: This issue was fixed with the release of versions 6.0.19 in the 6.0.x branch, 5.5.28 in the 5.5.x branch, and 4.1.40 in the 4.1.x branch. However, it is strongly recommended that the latest stable version with all of the appropriate patches be installed.  

I can't even find 5.5.28. The version I downloaded from Apache is 5.5.27.
0
 
LVL 29

Accepted Solution

by:
Michael Worsham earned 2000 total points
ID: 24090201
Tomcat 5.5.28 is an SVN release -- also known as -- in development or alpha.

When you get a release from a vendor, it's usually the latest release that works against their current build. The 5.5.28 release is a development/alpha release thus might not be tested under their platform and not visible as an upgrade or fix as of yet.

About your best option would be to compile from the latest source release and patch the patch yourself. Due note that the vendor won't support as it is a alpha/developmental source code fix/release.

Reference:
http://tomcat.apache.org/security-5.html
0
 

Author Comment

by:bbogle2007
ID: 24090392
Thanks for the suggestion. I am not adventurous to apply a patch that is still in the alpah stage to a server that provides email to 75% of my company. the PCI people will just have to understand that this will be fixed some other time. What I did in the mean time is deleted the calandar files that caused the vulnerability. We don't use them.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are numerous questions about how to setup an IBM HTTP Server to be administered from WebSphere Application Server administrative console. I do hope this article will wrap things up and become a reference for this task. You need three things…
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.
Suggested Courses
Course of the Month15 days, 1 hour left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question