[Building Sakai] sakai-2.6.3: test/recommend deployers use Tomcat 5.5.28+?

Ian Boston ieb at tfd.co.uk
Mon Jun 28 23:08:09 PDT 2010 

I would be worried about 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157
which isnt fixed in 29, and AFAIK all our webapps are vulnerable.

also fixed in 29
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693
and related, as I will bet that many places still have the manager webapp available.
and if they are on windows, this wont help.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548


Although these issues also exist in TC6, is there a reason why you are not testing on 6 ?
The kernel was patched about 2 years ago to run in TC6.

Ian

On 28 Jun 2010, at 17:36, Anthony Whyte wrote:

> We are now at work on readying the 2.6.x branch for a sakai-2.6.3 maintenance release (release date is yet to be determined).  The current recommended version of Tomcat for Sakai 2.6 is Tomcat 5.5.26 (released Feb 2008).  Both Alan and I think it worth discussing whether or not we should consider releasing sakai-2.6.3 with an updated Tomcat 5.5 version recommendation (5.5.28 or 5.5.29).  Alan is prepared to test 2.6.x using Tomcat 5.5.28 (released Sep 2009) or 5.5.29 (released Apr 2010).  Sakai 2.7.0 was tested against Tomcat 5.5.28.
> 
> One change for 2.6 deployers who choose to run Sakai in Tomcat 5.5.27+ is the requirement to add the following system property in order to disable strict quote escaping, a change in Tomcat *.jsp handling that has yet to be addressed in certain tools such as portfolios (see SAK-15736).
> 
> -Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
> 
> This workaround has been noted in the 2.6 install guides for quite some time and is by no means a surprise requirement.
> 
> Tomcat 5.5.27-29 contain a number of security fixes that improve upon Tomcat 5.5.26 (see link below).   Looking over the Tomcat change log I don't see anything that raises any red flags (see link below).  But others should review the changes and raise any potential concerns.  
> 
> Finally if you are running a Sakai 2.6 tag or 2.6.x in production using Tomcat 5.5.27+ please let us know whether or not based on your experience you think we should test 2.6.x against an upgraded version of Tomcat.
> 
> Cheers,
> 
> Anthony
> 
> _____________________________
> 
> Tomcat Security
> 
> Tomcat 5.5 security fixes: http://tomcat.apache.org/security-5.html 
> 
> Tomcat change log
> 
> http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
> 
> Tomcat Release Notes
> 
> 5.5.29 http://tomcat.apache.org/tomcat-5.5-doc/RELEASE-NOTES.txt
> 5.5.28 http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.28/RELEASE-NOTES
> 5.5.27 http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.27/RELEASE-NOTES
> 
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> 
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

More information about the sakai-dev mailing list