0

I am running on tomcat version 7.0.52 , i know this is a old version. I looked into https://tomcat.apache.org/security-7.html, according to this page , the latest version is 7.0.68 , so i am in confusion, coz i am not sure if i am secure or not, since i cannot find a USN doc which tells me to upgrade my 7.0.52 tomcat7 to UPPER version.

I need to make sure that i am secure and if this upgrade to 7.0.68 is necessary or not. If it is, will it break anything?

Nishant Singh
  • 145
  • 1
  • 9
  • 2
    Yeah, there are 14 known vulnerabilities (CVEs) in 7.0.52. Tomcat recommends the 8.x train anyways (and yes, if you choose to stay on the 7.x train please install 7.0.68). What are you doing running such an old version? It's a misnomer that security updates break things. What's broken is the modern system administrator and their management teams. Install yum-cron or unattended updates. You can specify only medium-risk and above security updates. Just do it! – atdre May 18 '16 at 06:29
  • can u just point me to the CVE , i will be upgrading the instances soon – Nishant Singh May 18 '16 at 06:51
  • 1
    Did you even look? https://tomcat.apache.org/security-7.html (which you mentioned yourself) lists all needed information, including the CVE. – Steffen Ullrich May 18 '16 at 06:57
  • @SteffenUllrich yes, already did, in my question, i am more curious how can i upgrade with breaking stuff – Nishant Singh May 18 '16 at 06:59

1 Answers1

0

You can start by using their GUI tool to check configuration file differences between your version and the latest (7.0.69):

enter image description here

and paying attention to the "noteable changes" that might be of interest between the versions, i.e.:

In 7.0.63 onwards, the meaning of value 0 for maxPostSize attribute on connectors was changed to mean a limit of zero rather than no limit to align it with maxSavePostSize and to be more intuitive.

HTTP500
  • 4,833
  • 4
  • 23
  • 31