[jira] Created: (OFBIZ-3424) Upgrade Tomcat version to 6.0.24

Upgrade Tomcat version to 6.0.24
--------------------------------

                 Key: OFBIZ-3424
                 URL: https://issues.apache.org/jira/browse/OFBIZ-3424
             Project: OFBiz
          Issue Type: Improvement
          Components: ALL APPLICATIONS
    Affects Versions: SVN trunk
            Reporter: Erwan de FERRIERES
            Priority: Blocker
             Fix For: SVN trunk


3 security issues have been released today for Tomcat, asking to migrate to the latest version :

CVE-2009-2902: Apache Tomcat unexpected file deletion in work directory
CVE-2009-2901: Apache Tomcat insecure partial deploy after failed undeploy
CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12805487#action_12805487 ]

Ashish Vijaywargiya commented on OFBIZ-3424:
--------------------------------------------

Hello Erwan,

FYI Previous upgrade from Tomcat 5 to Tomcat 6 is being done by Jacopo (Thanks!).
So the jira issue OFBIZ-1800 & OFBIZ-1863 can help you in some sort IMO.

--
Ashish Vijaywargiya

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erwan de FERRIERES updated OFBIZ-3424:
--------------------------------------

    Attachment: OFBIZ-3424.diff

A first patch, but some INFO messages are now in the console when lauching OFBiz such as
{code}
INFO: This Realm has already been started
Feb 21, 2010 7:02:49 PM org.apache.catalina.startup.ContextConfig defaultWebConfig
INFO: No default web.xml
2010-02-21 19:02:49,339 (main) [  GenericDispatcher.java:62 :INFO ] Creating new dispatcher [myportal] (main)
2010-02-21 19:02:49,340 (main) [     ControlServlet.java:73 :INFO ] LOADING WEBAPP [myportal] Open For Business - My Page, located at /home/erwan/workspace/ofbiz/specialpurpose/myportal/webapp/myportal/
2010-02-21 19:02:49,345 (main) [    ConfigXMLReader.java:120:INFO ] controller loaded: 0.0s, 5 requests, 5 views in file:/home/erwan/workspace/ofbiz/specialpurpose/myportal/webapp/myportal/WEB-INF/controller.xml
Feb 21, 2010 7:02:49 PM org.apache.catalina.realm.RealmBase start
INFO: This Realm has already been started
Feb 21, 2010 7:02:49 PM org.apache.catalina.startup.ContextConfig defaultWebConfig
INFO: No default web.xml
2010-02-21 19:02:49,490 (main) [  GenericDispatcher.java:62 :INFO ] Creating new dispatcher [order] (main)
2010-02-21 19:02:49,504 (main) [     ControlServlet.java:73 :INFO ] LOADING WEBAPP [ordermgr] Open For Business - Order Manager, located at /home/erwan/workspace/ofbiz/applications/order/webapp/ordermgr/
Feb 21, 2010 7:02:49 PM org.apache.catalina.connector.Connector initialize
INFO: The connector has already been initialized
Feb 21, 2010 7:02:49 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Feb 21, 2010 7:02:49 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=7/76  config=null
Feb 21, 2010 7:02:49 PM org.apache.catalina.connector.Connector initialize
INFO: The connector has already been initialized
Feb 21, 2010 7:02:49 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-0.0.0.0-8080
Feb 21, 2010 7:02:49 PM org.apache.catalina.connector.Connector initialize
INFO: The connector has already been initialized
Feb 21, 2010 7:02:49 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-0.0.0.0-8443

{code}

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erwan de FERRIERES updated OFBIZ-3424:
--------------------------------------

    Attachment: tomcat-6.0.24-catalina-ha.jar
                tomcat-6.0.24-catalina.jar
                tomcat-6.0.24-servlet-api.jar

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erwan de FERRIERES updated OFBIZ-3424:
--------------------------------------

    Attachment: tomcat-6.0.24-jsp-api.jar
                tomcat-6.0.24-el-api.jar
                tomcat-6.0.24-annotations-api.jar

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erwan de FERRIERES updated OFBIZ-3424:
--------------------------------------

    Attachment: tomcat-6.0.24-jasper.jar
                tomcat-6.0.24-jasper.jar
                tomcat-6.0.24-catalina-tribes.jar

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erwan de FERRIERES updated OFBIZ-3424:
--------------------------------------

    Attachment: tomcat-6.0.24-jasper.jar
                tomcat-6.0.24-jasper-el.jar
                tomcat-6.0.24-jasper-jdt.jar

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erwan de FERRIERES updated OFBIZ-3424:
--------------------------------------

    Attachment: tomcat-6.0.24-tomcat-coyote.jar
                tomcat-6.0.24-tomcat-dbcp.jar
                tomcat-6.0.24-tomcat-juli.jar

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erwan de FERRIERES updated OFBIZ-3424:
--------------------------------------

    Attachment:     (was: tomcat-6.0.24-jasper.jar)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erwan de FERRIERES updated OFBIZ-3424:
--------------------------------------

    Attachment:     (was: tomcat-6.0.24-jasper.jar)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12837427#action_12837427 ]

Anil K Patel commented on OFBIZ-3424:
-------------------------------------

I have not tested the patch, but looks like it should be simple. I think we should go for it.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Scott Gray updated OFBIZ-3424:
------------------------------

    Component/s:     (was: ALL APPLICATIONS)
                 framework

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12856643#action_12856643 ]

BJ Freeman commented on OFBIZ-3424:
-----------------------------------

I was going to test this on centos 5.4
I notice that there are additional files
do we use all of these or should I just replace the ones in the catalina\lib


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12856777#action_12856777 ]

Jacques Le Roux commented on OFBIZ-3424:
----------------------------------------

I'd try with the minimum and add if required

THanks

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12856786#action_12856786 ]

Erwan de FERRIERES commented on OFBIZ-3424:
-------------------------------------------

I've just extracted files in the tomcat archive and renamed them. There maybe too much of them.
BTW, a new version has been released, maybe we should try to integrate this one.

Cheers

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-3424:
-----------------------------------

    Priority: Major  (was: Blocker)

I don't think we can say this issue is a blocker. For the newer version, yes why not using the last one indeed?

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12857479#action_12857479 ]

BJ Freeman commented on OFBIZ-3424:
-----------------------------------

having trouble with the diff file.
what do I need to do to be able to use it?


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12857481#action_12857481 ]

Erwan de FERRIERES commented on OFBIZ-3424:
-------------------------------------------

You may need to remove the part where the props are changed.
I think that only the classpath and the CrossSubdomainSessionValve.java are necessary

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12857505#action_12857505 ]

BJ Freeman commented on OFBIZ-3424:
-----------------------------------

it has some unprintable characters in it.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

     [ https://issues.apache.org/jira/browse/OFBIZ-3424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erwan de FERRIERES updated OFBIZ-3424:
--------------------------------------

    Attachment: OFBIZ-3424.diff

should be good with this one.

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira