?
Solved

How to install Tomcat 5.5.X security patch

Posted on 2009-04-07
4
Medium Priority
?
798 Views
Last Modified: 2013-12-02
Can someone give me instructions on how to apply a patch to Tomcat. I can't find any instructions on the web and there isn't a setup file for me to execute.
0
Comment
Question by:bbogle2007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 29

Assisted Solution

by:Michael Worsham
Michael Worsham earned 2000 total points
ID: 24088506
Do you have a link to the patch so we can review it?

No note that most patches can only be applied to source code built deployments on Linux/UNIX platforms. If you downloaded Tomcat as a binary, then you will not be able to apply the patch code.

0
 

Author Comment

by:bbogle2007
ID: 24090002
Here's another part of my problem. . . . I downloaded 5.5.27 from http://tomcat.apache.org/download-55.cgi. I am using this for GroupWise Web Access 7.0.3. This patch was just released on 1-20-09, so you would figure Novell would give you the most up-to-date version and I think they did. Some of the folder dates are from today, which is when I upgraded Web Access agent.

After I upgraded Web Access we had a PCI vulnerability scan. The scan failed with this result

Apache Tomcat Calendar Application Cross-site Scripting Vulnerability

Description: The version of Tomcat running on this host includes an example calendar application. This application contains invalid HTML which renders the user input filtering for the 'time' parameter ineffective.  
 Note: All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.
Remediation: This issue was fixed with the release of versions 6.0.19 in the 6.0.x branch, 5.5.28 in the 5.5.x branch, and 4.1.40 in the 4.1.x branch. However, it is strongly recommended that the latest stable version with all of the appropriate patches be installed.  

I can't even find 5.5.28. The version I downloaded from Apache is 5.5.27.
0
 
LVL 29

Accepted Solution

by:
Michael Worsham earned 2000 total points
ID: 24090201
Tomcat 5.5.28 is an SVN release -- also known as -- in development or alpha.

When you get a release from a vendor, it's usually the latest release that works against their current build. The 5.5.28 release is a development/alpha release thus might not be tested under their platform and not visible as an upgrade or fix as of yet.

About your best option would be to compile from the latest source release and patch the patch yourself. Due note that the vendor won't support as it is a alpha/developmental source code fix/release.

Reference:
http://tomcat.apache.org/security-5.html
0
 

Author Comment

by:bbogle2007
ID: 24090392
Thanks for the suggestion. I am not adventurous to apply a patch that is still in the alpah stage to a server that provides email to 75% of my company. the PCI people will just have to understand that this will be fixed some other time. What I did in the mean time is deleted the calandar files that caused the vulnerability. We don't use them.
0

Featured Post

Tutorial: Introduction to Managing a Linux Server

In this tutorial on systemd, we will explore:
-OS/Distro Adoption
-chkconfig and Other Legacy Commands
-Summary and Key Commands

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A publishing tool, a Version Control System, or a Collaboration Platform! These can be some of the defining words for the two very famous web-hosting Git repositories: Bitbucket and Github. Git is widely used amongst the programmers and developers f…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question