The only thing we found when going from 6.0.16 to 6.0.18 was an issue with some of our JSP's. The fix is described by "jroller" here: http://www.searchfull.net/1289260.html
Since I had a real hard time getting to this website, I'll copy and paste the article here.... Tomcat 6.0.18 includes a fix for JSP specification compliance as described in Bug #45015. Unfortunately, that means a lot of your JSPs will fail with the following exception: org.apache.jasper.JasperException: /WEB-INF/jsp/myPage.jsp(44,72) Attribute value <some java scriplet> is quoted with " which must be escaped when used within the value While I haven't found a way to automatically fix them, you can at least find all of your JSPs ( *.jsp*) in need of an update with the following regular expression (take a deep breath): <\w+:[^>]+="[^<"]*<%=[^%]*"|<\w+:[^>]+='[^<']*<%=[^%]*' Enjoy, Brian ________________________________ From: Alan Chaney <a...@compulsivecreative.com> To: Tomcat Users List <users@tomcat.apache.org> Sent: Monday, December 29, 2008 11:54:56 AM Subject: Hints on upgrading from 6.0.14 to 6.0.18 on production server Hi I have a 6.0.14 running with Apr 1.1.10 and I seem to be seeing instances of CVE-2007-6286: Tomcat duplicate request processing vulnerability (64-Bit Server VM (build 1.6.0_03-b05, mixed mode) (Centos 5.0 - Linux 2.6.18-8.el5 x86_64 ) The obvious thing to do is to upgrade from 6.0.14 to 6.0.18. Firstly, are there any changes in server.xml and web.xml in 6.0.18 that mean I can't just use the existing ones in the new installation. My current installation has $TOMCAT_HOME pointing to /usr/local/tomcat My intended upgrade sequence is: 1. opy down 6.0.18 and untar it int /usr/local/tomcat18 (after checking signatures) 2. copy over the jars that I have placed in the old $TOMCAT_HOME/lib (eg postgres jdbc jar) to /usr/local/tomcat18/lib 3. copy over my webapp wars from $TOMCAT_HOME/webapps to the new webapps folder. 4. as I am using jsvc to control tomcat, copy over the 'tomcat' file from the $TOMCAT_HOME ('tomcat' is actually a shell script which sets up all the environment variables for jsvc.) jsvc is in /usr/lib/tcnative/jsvc so it should be unaffected by the move. However I do need to copy over the $TOMCAT_HOME/bin/commons-daemon.jar. 5. stop the old server and rename its directory to /usr/local/tomcat.old 6. rename the directory of the new server to that of the current the new server. 7. restart the server. Am I missing anything? What have I overlooked? I need this to go as smoothly as possible as there is quite a lot of traffic on this site. Thanks in advance Alan Chaney --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org