Help

Updating Tomcat

noah_swanson
New Contributor

Posted on ‎03-11-2010 10:22 AM

Our recent security scan detected a vulnerability with Tomcat and naturally, I'm being asked to update. Currently our Mac server has 6.0.18 and 6.0.26 is available.

Has anyone updated Tomcat? Any words of caution before I do this?

Noah Swanson
Imaging Specialist
Enterprise Desktop Services
Phone: 309-765-3153
SwansonNoah at johndeere.com

0 Kudos
3 REPLIES 3

RobertHammen
Valued Contributor II

Posted on ‎03-11-2010 12:32 AM

I would not attempt to update this without checking with JAMF support first - you don't want to solve a potential problem but create another massive one (i.e. if Casper stops working).
On Mar 11, 2010, at 12:54 PM, Swanson Noah wrote:

As an aside, this is a good reason to join the Apple Developer Program (now down to $99/year) and have access to the developer seeds. I have no knowledge if future versions of OS X Server will contain this patch, but if you had access to the seeds you could find out if Apple's going to fix the problem (at which point you know JAMF will be quick to address any compatibility issues), or if you'll have to manually update it (with JAMF's OK first, though)...

--Robert

0 Kudos

jarednichols
Honored Contributor

Posted on ‎03-11-2010 10:41 AM

What's the vulnerability? If it was Nessus scanned (like ours) it may be
throwing an error about accepting weak SSL algos. I can help you out in
limiting what Tomcat will accept if that's the case.

j

0 Kudos

noah_swanson
New Contributor

Posted on ‎03-11-2010 10:54 AM

"Apache Tomcat Information Disclosure Vulnerability"

"Apache Tomcat Java AJP Connector Invalid Header Denial of Service"

Both have been fixed by Apache in 6.0.20: http://tomcat.apache.org/security-6.html.

0 Kudos