The version of Apache that is shown is JIRA is Apache Tomcat/6.0.20, I was told that this update was needed from foundstone after a recent scan was done. This is a 32-bit VM. Here are some the vulnarabilites that we found, but most of the problems found tell us the same thing of how to fix them which is to go to the next upgrade/update of Apache.
Apache Tomcat WAR Deployment Directory Traversal Vulnerability The vendor has made an updated version available for remediation: http://svn.apache.org/viewvc?view=revision&revision=902650 For Apache Tomcat 5.5.x, upgrade to 5.5.29 or later. For Apache Tomcat 6.0.x, upgrade to 6.0.24 or later. Apache Tomcat Failed Deployment Information Disclosure Vulnerability The vendor has made an updated version available for remediation. For Apache Tomcat 5.5.x, upgrade to 5.5.29 or later. For Apache Tomcat 6.0.x, upgrade to 6.0.24 or later. Apache Tomcat WAR File Names Directory Traversal Vulnerability The vendor has made an updated version available for remediation. For Apache Tomcat 5.5.x, upgrade to 5.5.29 or later. For Apache Tomcat 6.0.x, upgrade to 6.0.24 or later. Apache Tomcat NIO Connector Denial Of Service The vendor has released an update to address the issue: http://tomcat.apache.org/security-7.html -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, October 10, 2011 10:35 AM To: Tomcat Users List Subject: EXTERNAL: Re: install of Tomcat 6.0.33 On 10/10/2011 15:18, Palmer, Anthony wrote: > Hello, I am looking for documentation on doing a patch install. There is no documentation since the ASF does not release patches. Each release of Apache Tomcat is a full release. There is no mechanism to patch an older release to a newer one. There are some really ugly hacks that might work but I'd really rather not go there. What version of Tomcat are you upgrading from? > I am really new to doing this type of work so I could really use some > help on how to do this. I am currently running JIRA 4.2.2 which > apache was bundled with and was told that this update was needed. Told by whom? What problem are you trying to fix? If you are running Jira 4.2.2 then you need to upgrade Jira as well. > Since there is no .exe file run in the apache-tomcat-6.0.33 file that > I downloaded I was hoping for some help on how to handle this update > with some written step by step instructions. This patch will be going > on a window 2003 sever. 32-bit or 64-bit? Atlassian will disagree with this view but my recommendation would be to install the latest Tomact 6.0.x release along with the latest Jira release using the WAR distribution rather than the bundled distribution. Further, if you separate CATALINA_HOME and CATALINA_BASE future upgrades of Tomcat are trivial. The ASF uses this approach for it's own Jira installation and it works very well. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
