On 22/07/2011 17:26, Ian Marsh wrote: > Hi, > > I am in charge of running a Apache-2, Tomcat-7, Ubuntu-10.04 set up > for which we have to be PCI Compliant. We recently upgraded to > Apache-2.2.17 and Tomcat-7.0.8 (from Apache-2.0.x and Tomcat 5.0.28) > in order to comply with the requirements of the PCI Compliance checks > and ironed out any issues to get us back to a satisfactory running > state.
Hmm. I think you need some better PCI auditors. If your app was running on Tomcat 5.0.x and you trust the app (which seems reasonable given it is doing something that requires PCI compliance) then an upgrade to 7.0.12 should be sufficient if you using the HTTP BIO connector. Since Tomcat appears to behind httpd then there is a strong chance you are using AJP (BIO or APR), in which case 7.0.2 should be sufficient. It appears your current auditors are blindly (and wrongly) assuming any vulnerability in Tomcat will impact your installation. Expect a demand to upgrade to 7.0.19 when they get around to reading the Tomcat security pages again. <snip/> > It seems that the character arrays [C, java.lang.String and > javax.servlet.jsp.tagext.TagAttributeInfo entries are considerably > higher in Tomcat-7.0.10 than in Tomcat-7.0.8 and I am wondering if > this could lead to an explanation for the difference. Maybe. What you really want to look at is the GC roots for those objects. That will tell you what is holding on to the references. Based on that data I'd start looking at the arrays of TagAttributeInfo but that might be completely the wrong place to look. I've just triggered a heap dump on the ASF Jira instance (running 7.0.19) to see what that looks like. I'll report back what I find (once the 4GB heap has finished downloading - it may be some time). > Would anyone know of any changes between the two versions, possibly > linked to those memory entries, that could lead to such behaviour? Nothing jumped out at me from the changelog. > Any help or suggestions is greatly appreciated! I'm sorry for a long > post, but hopefully its got the information needed to help diagnosis. To be honest, there isn't enough info hear to diagnose the root cause but there is enough to demonstrate that there is probably a problem and maybe where to start looking. That might not seem like much but it is a heck of a lot better than most of the reports we get here. Thanks for providing such a useful problem report. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
