+8Our recent security scan detected a vulnerability with Tomcat and naturally, I'm being asked to update. Currently our Mac server has 6.0.18 and 6.0.26 is available.
Has anyone updated Tomcat? Any words of caution before I do this?
Noah Swanson
Imaging Specialist
Enterprise Desktop Services
Phone: 309-765-3153
SwansonNoah at johndeere.com
+29I would not attempt to update this without checking with JAMF support first - you don't want to solve a potential problem but create another massive one (i.e. if Casper stops working).
On Mar 11, 2010, at 12:54 PM, Swanson Noah wrote:
As an aside, this is a good reason to join the Apple Developer Program (now down to $99/year) and have access to the developer seeds. I have no knowledge if future versions of OS X Server will contain this patch, but if you had access to the seeds you could find out if Apple's going to fix the problem (at which point you know JAMF will be quick to address any compatibility issues), or if you'll have to manually update it (with JAMF's OK first, though)...
--Robert
+24What's the vulnerability? If it was Nessus scanned (like ours) it may be
throwing an error about accepting weak SSL algos. I can help you out in
limiting what Tomcat will accept if that's the case.
j
+8"Apache Tomcat Information Disclosure Vulnerability"
"Apache Tomcat Java AJP Connector Invalid Header Denial of Service"
Both have been fixed by Apache in 6.0.20: http://tomcat.apache.org/security-6.html.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.