Solved

How to install Tomcat 5.5.X security patch

Posted on 2009-04-07
4
793 Views
Last Modified: 2013-12-02
Can someone give me instructions on how to apply a patch to Tomcat. I can't find any instructions on the web and there isn't a setup file for me to execute.
0
Comment
Question by:bbogle2007
  • 2
  • 2
4 Comments
 
LVL 29

Assisted Solution

by:Michael W
Michael W earned 500 total points
ID: 24088506
Do you have a link to the patch so we can review it?

No note that most patches can only be applied to source code built deployments on Linux/UNIX platforms. If you downloaded Tomcat as a binary, then you will not be able to apply the patch code.

0
 

Author Comment

by:bbogle2007
ID: 24090002
Here's another part of my problem. . . . I downloaded 5.5.27 from http://tomcat.apache.org/download-55.cgi. I am using this for GroupWise Web Access 7.0.3. This patch was just released on 1-20-09, so you would figure Novell would give you the most up-to-date version and I think they did. Some of the folder dates are from today, which is when I upgraded Web Access agent.

After I upgraded Web Access we had a PCI vulnerability scan. The scan failed with this result

Apache Tomcat Calendar Application Cross-site Scripting Vulnerability

Description: The version of Tomcat running on this host includes an example calendar application. This application contains invalid HTML which renders the user input filtering for the 'time' parameter ineffective.  
 Note: All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.
Remediation: This issue was fixed with the release of versions 6.0.19 in the 6.0.x branch, 5.5.28 in the 5.5.x branch, and 4.1.40 in the 4.1.x branch. However, it is strongly recommended that the latest stable version with all of the appropriate patches be installed.  

I can't even find 5.5.28. The version I downloaded from Apache is 5.5.27.
0
 
LVL 29

Accepted Solution

by:
Michael W earned 500 total points
ID: 24090201
Tomcat 5.5.28 is an SVN release -- also known as -- in development or alpha.

When you get a release from a vendor, it's usually the latest release that works against their current build. The 5.5.28 release is a development/alpha release thus might not be tested under their platform and not visible as an upgrade or fix as of yet.

About your best option would be to compile from the latest source release and patch the patch yourself. Due note that the vendor won't support as it is a alpha/developmental source code fix/release.

Reference:
http://tomcat.apache.org/security-5.html
0
 

Author Comment

by:bbogle2007
ID: 24090392
Thanks for the suggestion. I am not adventurous to apply a patch that is still in the alpah stage to a server that provides email to 75% of my company. the PCI people will just have to understand that this will be fixed some other time. What I did in the mean time is deleted the calandar files that caused the vulnerability. We don't use them.
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Video on my site 4 67
Widget to get customer remakrs in our website. 3 74
maybe no no httpd.conf 6 45
Unwanted Popup 8 22
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now