[WG: Sakai QA] [Building Sakai] sakai-2.6.3: test/recommend deployers useTomcat 5.5.28+?

Berg, Alan A.M.Berg at uva.nl
Tue Jun 29 00:46:19 PDT 2010 

Hi all,

I would like to reinforce Ian's question. What sort of work is required to move to Tomcat 6. I understand that there are classloader hierarchy differences, but technically can we push this into a minor 2.7 release? Is it just a question of solid QA test coverage or are there known issues.

Alan B.

Alan Berg
QA Director - The Sakai Foundation

Senior Developer / Quality Assurance
Group Education and Research Services
Central Computer Services
University of Amsterdam

http://home.uva.nl/a.m.berg




-----Original Message-----
From: sakai-dev-bounces at collab.sakaiproject.org on behalf of Ian Boston
Sent: Tue 29-6-2010 8:08
To: Anthony Whyte
Cc: production at collab.sakaiproject.org; Sakai QA; Developers Sakai-Dev
Subject: Re: [Building Sakai] sakai-2.6.3: test/recommend deployers useTomcat 5.5.28+?
 
I would be worried about 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157
which isnt fixed in 29, and AFAIK all our webapps are vulnerable.

also fixed in 29
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693
and related, as I will bet that many places still have the manager webapp available.
and if they are on windows, this wont help.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548


Although these issues also exist in TC6, is there a reason why you are not testing on 6 ?
The kernel was patched about 2 years ago to run in TC6.

Ian

On 28 Jun 2010, at 17:36, Anthony Whyte wrote:

> We are now at work on readying the 2.6.x branch for a sakai-2.6.3 maintenance release (release date is yet to be determined).  The current recommended version of Tomcat for Sakai 2.6 is Tomcat 5.5.26 (released Feb 2008).  Both Alan and I think it worth discussing whether or not we should consider releasing sakai-2.6.3 with an updated Tomcat 5.5 version recommendation (5.5.28 or 5.5.29).  Alan is prepared to test 2.6.x using Tomcat 5.5.28 (released Sep 2009) or 5.5.29 (released Apr 2010).  Sakai 2.7.0 was tested against Tomcat 5.5.28.
> 
> One change for 2.6 deployers who choose to run Sakai in Tomcat 5.5.27+ is the requirement to add the following system property in order to disable strict quote escaping, a change in Tomcat *.jsp handling that has yet to be addressed in certain tools such as portfolios (see SAK-15736).
> 
> -Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
> 
> This workaround has been noted in the 2.6 install guides for quite some time and is by no means a surprise requirement.
> 
> Tomcat 5.5.27-29 contain a number of security fixes that improve upon Tomcat 5.5.26 (see link below).   Looking over the Tomcat change log I don't see anything that raises any red flags (see link below).  But others should review the changes and raise any potential concerns.  
> 
> Finally if you are running a Sakai 2.6 tag or 2.6.x in production using Tomcat 5.5.27+ please let us know whether or not based on your experience you think we should test 2.6.x against an upgraded version of Tomcat.
> 
> Cheers,
> 
> Anthony
> 
> _____________________________
> 
> Tomcat Security
> 
> Tomcat 5.5 security fixes: http://tomcat.apache.org/security-5.html 
> 
> Tomcat change log
> 
> http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
> 
> Tomcat Release Notes
> 
> 5.5.29 http://tomcat.apache.org/tomcat-5.5-doc/RELEASE-NOTES.txt
> 5.5.28 http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.28/RELEASE-NOTES
> 5.5.27 http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.27/RELEASE-NOTES
> 
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
> 
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

_______________________________________________
sakai-dev mailing list
sakai-dev at collab.sakaiproject.org
http://collab.sakaiproject.org/mailman/listinfo/sakai-dev

TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-qa/attachments/20100629/4f5b26fc/attachment.html

More information about the sakai-qa mailing list