The only thing we found when going from 6.0.16 to 6.0.18 was an issue with some
of our JSP's. The fix is described by "jroller" here:
http://www.searchfull.net/1289260.html
Since I had a real hard time getting to this website, I'll copy and paste the
article here....
Tomcat 6.0.18 includes a fix for JSP specification compliance as described in
Bug #45015. Unfortunately, that means a lot of your JSPs will fail with the
following exception:
org.apache.jasper.JasperException:
/WEB-INF/jsp/myPage.jsp(44,72) Attribute value <some java
scriplet> is quoted with " which must be escaped when used within
the value
While I haven't found a way to automatically fix them, you can at least find
all of your JSPs ( *.jsp*) in need of an update with the following regular
expression (take a deep breath):
<\w+:[^>]+="[^<"]*<%=[^%]*"|<\w+:[^>]+='[^<']*<%=[^%]*'
Enjoy,
Brian
________________________________
From: Alan Chaney <a...@compulsivecreative.com>
To: Tomcat Users List <users@tomcat.apache.org>
Sent: Monday, December 29, 2008 11:54:56 AM
Subject: Hints on upgrading from 6.0.14 to 6.0.18 on production server
Hi
I have a 6.0.14 running with Apr 1.1.10 and I seem to be seeing instances of
CVE-2007-6286: Tomcat duplicate request processing vulnerability
(64-Bit Server VM (build 1.6.0_03-b05, mixed mode)
(Centos 5.0 - Linux 2.6.18-8.el5 x86_64 )
The obvious thing to do is to upgrade from 6.0.14 to 6.0.18. Firstly, are there
any changes in server.xml and web.xml in 6.0.18 that mean I can't just use the
existing ones in the new installation.
My current installation has $TOMCAT_HOME pointing to /usr/local/tomcat
My intended upgrade sequence is:
1. opy down 6.0.18 and untar it int /usr/local/tomcat18 (after checking
signatures)
2. copy over the jars that I have placed in the old $TOMCAT_HOME/lib (eg
postgres jdbc jar) to /usr/local/tomcat18/lib
3. copy over my webapp wars from $TOMCAT_HOME/webapps to the new webapps folder.
4. as I am using jsvc to control tomcat, copy over the 'tomcat' file from the
$TOMCAT_HOME ('tomcat' is actually a shell script which sets up
all the environment variables for jsvc.) jsvc is in /usr/lib/tcnative/jsvc so
it should be unaffected by the move. However
I do need to copy over the $TOMCAT_HOME/bin/commons-daemon.jar.
5. stop the old server and rename its directory to /usr/local/tomcat.old
6. rename the directory of the new server to that of the current the new server.
7. restart the server.
Am I missing anything? What have I overlooked? I need this to go as smoothly as
possible as there is quite a lot of traffic on this site.
Thanks in advance
Alan Chaney
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
