Solved

How to install Tomcat 5.5.X security patch

Posted on 2009-04-07
4
792 Views
Last Modified: 2013-12-02
Can someone give me instructions on how to apply a patch to Tomcat. I can't find any instructions on the web and there isn't a setup file for me to execute.
0
Comment
Question by:bbogle2007
  • 2
  • 2
4 Comments
 
LVL 29

Assisted Solution

by:Michael W
Michael W earned 500 total points
ID: 24088506
Do you have a link to the patch so we can review it?

No note that most patches can only be applied to source code built deployments on Linux/UNIX platforms. If you downloaded Tomcat as a binary, then you will not be able to apply the patch code.

0
 

Author Comment

by:bbogle2007
ID: 24090002
Here's another part of my problem. . . . I downloaded 5.5.27 from http://tomcat.apache.org/download-55.cgi. I am using this for GroupWise Web Access 7.0.3. This patch was just released on 1-20-09, so you would figure Novell would give you the most up-to-date version and I think they did. Some of the folder dates are from today, which is when I upgraded Web Access agent.

After I upgraded Web Access we had a PCI vulnerability scan. The scan failed with this result

Apache Tomcat Calendar Application Cross-site Scripting Vulnerability

Description: The version of Tomcat running on this host includes an example calendar application. This application contains invalid HTML which renders the user input filtering for the 'time' parameter ineffective.  
 Note: All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.
Remediation: This issue was fixed with the release of versions 6.0.19 in the 6.0.x branch, 5.5.28 in the 5.5.x branch, and 4.1.40 in the 4.1.x branch. However, it is strongly recommended that the latest stable version with all of the appropriate patches be installed.  

I can't even find 5.5.28. The version I downloaded from Apache is 5.5.27.
0
 
LVL 29

Accepted Solution

by:
Michael W earned 500 total points
ID: 24090201
Tomcat 5.5.28 is an SVN release -- also known as -- in development or alpha.

When you get a release from a vendor, it's usually the latest release that works against their current build. The 5.5.28 release is a development/alpha release thus might not be tested under their platform and not visible as an upgrade or fix as of yet.

About your best option would be to compile from the latest source release and patch the patch yourself. Due note that the vendor won't support as it is a alpha/developmental source code fix/release.

Reference:
http://tomcat.apache.org/security-5.html
0
 

Author Comment

by:bbogle2007
ID: 24090392
Thanks for the suggestion. I am not adventurous to apply a patch that is still in the alpah stage to a server that provides email to 75% of my company. the PCI people will just have to understand that this will be fixed some other time. What I did in the mean time is deleted the calandar files that caused the vulnerability. We don't use them.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Application launch issue with Apache Tomcat 5 19
PHP Upload using Uploadify 4 70
Updrading Office - How to Stay Could-Free With Office 201x 11 54
java JDK Download 7 76
A publishing tool, a Version Control System, or a Collaboration Platform! These can be some of the defining words for the two very famous web-hosting Git repositories: Bitbucket and Github. Git is widely used amongst the programmers and developers f…
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now