How to install Tomcat 5.5.X security patch

Can someone give me instructions on how to apply a patch to Tomcat. I can't find any instructions on the web and there isn't a setup file for me to execute.
bbogle2007Asked:
Who is Participating?
 
Michael WorshamConnect With a Mentor Infrastructure / Solutions ArchitectCommented:
Tomcat 5.5.28 is an SVN release -- also known as -- in development or alpha.

When you get a release from a vendor, it's usually the latest release that works against their current build. The 5.5.28 release is a development/alpha release thus might not be tested under their platform and not visible as an upgrade or fix as of yet.

About your best option would be to compile from the latest source release and patch the patch yourself. Due note that the vendor won't support as it is a alpha/developmental source code fix/release.

Reference:
http://tomcat.apache.org/security-5.html
0
 
Michael WorshamConnect With a Mentor Infrastructure / Solutions ArchitectCommented:
Do you have a link to the patch so we can review it?

No note that most patches can only be applied to source code built deployments on Linux/UNIX platforms. If you downloaded Tomcat as a binary, then you will not be able to apply the patch code.

0
 
bbogle2007Author Commented:
Here's another part of my problem. . . . I downloaded 5.5.27 from http://tomcat.apache.org/download-55.cgi. I am using this for GroupWise Web Access 7.0.3. This patch was just released on 1-20-09, so you would figure Novell would give you the most up-to-date version and I think they did. Some of the folder dates are from today, which is when I upgraded Web Access agent.

After I upgraded Web Access we had a PCI vulnerability scan. The scan failed with this result

Apache Tomcat Calendar Application Cross-site Scripting Vulnerability

Description: The version of Tomcat running on this host includes an example calendar application. This application contains invalid HTML which renders the user input filtering for the 'time' parameter ineffective.  
 Note: All Cross-Site Scripting vulnerabilities are considered non-compliant by PCI.
Remediation: This issue was fixed with the release of versions 6.0.19 in the 6.0.x branch, 5.5.28 in the 5.5.x branch, and 4.1.40 in the 4.1.x branch. However, it is strongly recommended that the latest stable version with all of the appropriate patches be installed.  

I can't even find 5.5.28. The version I downloaded from Apache is 5.5.27.
0
 
bbogle2007Author Commented:
Thanks for the suggestion. I am not adventurous to apply a patch that is still in the alpah stage to a server that provides email to 75% of my company. the PCI people will just have to understand that this will be fixed some other time. What I did in the mean time is deleted the calandar files that caused the vulnerability. We don't use them.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.