Updating to latest version of Tomcat

[Bill Mitchell]

A security scan on our server (Centos 6.5 running Lucee 4.5.1.022) tells me that there is a medium risk associated with:

83526 - Apache Tomcat 7.0.x < 7.0.60 Multiple Vulnerabilities (FREAK)

The Tomcat version that is bundled with Lucee is 7.0.59 whereas the latest version which patches these vulnerabilities is 7.0.60 or higher (latest available is 7.0.62).

I have searched for issues related to updating just the Tomcat version within Lucee but have found no information.

Can anyone outline whether they have updated Tomcat within Lucee and what issues I might encounter please?

I think it best to avoid the risk identified with version 7.0.59

best wishes
bill

[Jordan Michaels]

Documentation on upgrading your version of Tomcat (as well as the JRE) can be found here:

https://github.com/getrailo/railo/wiki/Installation-InstallerDocumentation#Installing_and_Upgrading

I will be moving this information to the installer GitHub repo and updating it shortly.

-Jordan

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/5808bc3c-4e74-4476-9c3d-333c25af07b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bill Mitchell]

Thanks Jordan

It all went well.

The pages you refer to do not provide the information though.

I used this https://github.com/getrailo/railo/wiki/Installation-Documentation-For-Upgrading-Tomcat

Everyone running fine after the update.

I appreciate your help.

best wishes
bill

[Jordan Michaels]

Bill,

> The pages you refer to do not provide the information though.

I'm not sure what you mean? The link you included in your response below was one of the links on the page that I sent you. Further, the link I sent you also contains a link to a page that shows how to update your JRE.

Either way, and however you found it, I'm glad you found the information you needed and that you've upgraded successfully. =)

Kind regards,
Jordan Michaels

----- Original Message -----
From: "Bill Mitchell" <bill.m...@newcastle.edu.au>
To: lu...@googlegroups.com

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/c7bf6e96-a139-4b96-aa3c-15c86480b7a6%40googlegroups.com.

[Simon Goldschmidt]

We tried upgrading a Windows server from Tomcat 7.0.59 to 8.0.24 following the instructions, but Tomcat wouldn't start. I didn't find anything helpful in any log files, only "The Lucee Server service terminated unexpectedly" in the Windows System logs. Is there any more to the process than stopping the Tomcat service, replacing the lib directory and restarting the service?

Simon

[Jordan Michaels]

Yes. The configs change slightly from tomcat 7 to 8. In my testing, any errors I ran into were logged in the catalina.out file. I am in the process (right at this very moment in fact) of creating updated installers that include Tomcat 8, so that can be used as a pattern in the future. Until then, there are some other resources for getting Lucee installed on Tomcat 8, if you'd like the make that jump now. The updated installers will also include the new mod_cfml 1.1.

You should be able to upgrade from the 1.7 JRE to the 1.8 JRE without much hassle, if that is something you'd like to do now.

-Jordan

--
You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/dc15bca9-47c4-46b1-a3c4-a80a405ed45d%40googlegroups.com.

[Simon Goldschmidt]

Thanks Jordan. The JRE update was straight forward. We'll sit tight for the updated installer for the rest.

Simon

[Julian Halliwell]

It might be worth updating to the latest version 7 point release to
get the security patch sooner. I've found that copying the jars does
work fine if you stick to the same major version.

[Bill Mitchell]

My reading of the documentation told me to avoid going up a version (from 7.x to 8.x) as it would involve much more than upgrading the lib folder files.

So I just updated to the last version of 7.x

I would restore your backup and then just go to the last version of 7 and wait for the full update from the Lucee team.

I think, in general, it would be good for the Lucee team to make it a scheduled matter to update the Tomcat component as Apache release the updates.

Security matters would dictate that to be good practice.

best wishes
bill

[Patrick Heppler]

Here is what I did on Linux Box.

I downloaded apache-tomcat-8.0.24.tar.gz to /tmp and untared it

Then I ran this:

/bin/cp /tmp/apache-tomcat-8.0.24/lib/* /opt/lucee/tomcat/lib/
/bin/cp /tmp/apache-tomcat-8.0.24/bin/*.jar /opt/lucee/tomcat/bin/

Note that I only copied the jars, no .bat or .sh files!

Then I commented out this line in /opt/lucee/tomcat/conf/server.xml

<Listener className="org.apache.catalina.core.JasperListener" />

Everything works fine!