Hello,
I'd like to know what I should upgrade - tomcat or apache httpd? CVE pointed out that some of the Tomcat versions on Linux have vulnerability. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729 I have opentaps 1.0.3(include tomcat 5.5.20) version running on apache 2.2.3 by using mod_jk. Do you think I need to upgrade tomcat or apache? It's little bit difficult to upgrade opentaps version itself. It might not be so difficult to upgrade both, but I'd like to make sure what's real problem before taking next step. My doube is, if tomcat is being used through mod_jk, then, the tomcat version itself might not be matter. And this mean I do not need to upgrade tomcat, but rather need to upgrade apache httpd which would be the interface of the server. According to CVE posting, it says I need to upgrade to tomcat which include vulnerable version of jsvc. Thus I need to upgrade to jsvc 1.0.7 or later(I guess it's being used in tomcat & apache both). But I couldn't find what version of jsvc is being used on apache httpd 2.2.3. So I'm not sure I need to upgrade apache httpd itself as well or not. Any help would be appreciated. Thank you for reading. Thank you. Soon-Won Park |
Apache only talks to mod_jk, not Tomcat, so the version of Apache you
need is whatever is compatible with your version of mod_jk. I use Debian Linux, so what I would do first is use Google to work out whether the version of Tomcat I want to use requires a specific version of mod_jk. If so, I would use Debian's apt-get to ensure I had at least that version of mod_jk, and apt-get would automatically ensure I had a compatible version of Apache. Of course, if you don't use a package manager such as apt-get, then you'll have to read the release notes for the version you want to use. However the documentation for these is usually pretty good at telling you if there's some restriction with what version works with what. I suspect that doesn't answer all of your question, but hopefully it gives you a starting point, and maybe someone else can fill in the gaps. i don't use Apache/mod_jk these days, having switched to nginx. Cheers, Anne. On 11 October 2011 01:22, Soon Won Park <[hidden email]> wrote: > Hello, > > I'd like to know what I should upgrade - tomcat or apache httpd? > > CVE pointed out that some of the Tomcat versions on Linux have vulnerability. > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729 > > I have opentaps 1.0.3(include tomcat 5.5.20) version running on apache > 2.2.3 by using mod_jk. Do you think I need to upgrade tomcat or > apache? It's little bit difficult to upgrade opentaps version itself. > > It might not be so difficult to upgrade both, but I'd like to make > sure what's real problem before taking next step. > > My doube is, if tomcat is being used through mod_jk, then, the tomcat > version itself might not be matter. And this mean I do not need to > upgrade tomcat, but rather need to upgrade apache httpd which would be > the interface of the server. According to CVE posting, it says I need > to upgrade to tomcat which include vulnerable version of jsvc. Thus I > need to upgrade to jsvc 1.0.7 or later(I guess it's being used in > tomcat & apache both). But I couldn't find what version of jsvc is > being used on apache httpd 2.2.3. So I'm not sure I need to upgrade > apache httpd itself as well or not. > > Any help would be appreciated. Thank you for reading. > > Thank you. > Soon-Won Park > -- Coherent Software Australia Pty Ltd PO Box 2773 Cheltenham Vic 3192 Phone: (03) 9585 6788 Fax: (03) 9585 1086 Web: http://www.cohsoft.com.au/ Email: [hidden email] Bonsai ERP, the all-inclusive ERP system http://www.bonsaierp.com.au/ |
Hello Anne,
Thank you for the valuable advice. Yea, I can start with upgrading httpd. I'm taking a look now actually. But I hope I could get the answer for the "gap" as well as you mentioned. Thank you. Soon-Won On Mon, Oct 10, 2011 at 7:15 PM, Anne <[hidden email]> wrote: > Apache only talks to mod_jk, not Tomcat, so the version of Apache you > need is whatever is compatible with your version of mod_jk. > > I use Debian Linux, so what I would do first is use Google to work out > whether the version of Tomcat I want to use requires a specific > version of mod_jk. If so, I would use Debian's apt-get to ensure I had > at least that version of mod_jk, and apt-get would automatically > ensure I had a compatible version of Apache. > > Of course, if you don't use a package manager such as apt-get, then > you'll have to read the release notes for the version you want to use. > However the documentation for these is usually pretty good at telling > you if there's some restriction with what version works with what. > > I suspect that doesn't answer all of your question, but hopefully it > gives you a starting point, and maybe someone else can fill in the > gaps. i don't use Apache/mod_jk these days, having switched to nginx. > > Cheers, > Anne. > > On 11 October 2011 01:22, Soon Won Park <[hidden email]> wrote: >> Hello, >> >> I'd like to know what I should upgrade - tomcat or apache httpd? >> >> CVE pointed out that some of the Tomcat versions on Linux have vulnerability. >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2729 >> >> I have opentaps 1.0.3(include tomcat 5.5.20) version running on apache >> 2.2.3 by using mod_jk. Do you think I need to upgrade tomcat or >> apache? It's little bit difficult to upgrade opentaps version itself. >> >> It might not be so difficult to upgrade both, but I'd like to make >> sure what's real problem before taking next step. >> >> My doube is, if tomcat is being used through mod_jk, then, the tomcat >> version itself might not be matter. And this mean I do not need to >> upgrade tomcat, but rather need to upgrade apache httpd which would be >> the interface of the server. According to CVE posting, it says I need >> to upgrade to tomcat which include vulnerable version of jsvc. Thus I >> need to upgrade to jsvc 1.0.7 or later(I guess it's being used in >> tomcat & apache both). But I couldn't find what version of jsvc is >> being used on apache httpd 2.2.3. So I'm not sure I need to upgrade >> apache httpd itself as well or not. >> >> Any help would be appreciated. Thank you for reading. >> >> Thank you. >> Soon-Won Park >> > > > > -- > Coherent Software Australia Pty Ltd > PO Box 2773 > Cheltenham Vic 3192 > Phone: (03) 9585 6788 > Fax: (03) 9585 1086 > Web: http://www.cohsoft.com.au/ > Email: [hidden email] > > Bonsai ERP, the all-inclusive ERP system > http://www.bonsaierp.com.au/ > |
Free forum by Nabble | Edit this page |