update trusty to newest release due to security vulnerabilities

Asked by Dylan Bijnagte on 2015-06-22

Question information

English Edit question
Ubuntu tomcat7 Edit question
No assignee Edit question
Last query:
Last reply:

I suggest you report a bug. Mark it as a security bug with those links and the package will be updated sooner rather than later

Dylan Bijnagte (dylanbijnagte) said : #3

Thanks, I missed the bug report in my search

DougPendergras (dpendergras) said : #4

I have a similar issue. I've been asked by managment to upgrade to latest tomcat security after my company hired a security audit.

Is there a procedure for manually applying only security updates for ubuntu 14.04 tomcat7 package?

I would like to automate security patching for Tomcat7. However my new SLA only allows for 30 day delay after security patches are made available.

actionparsnip (andrew-woodhead666) - I have not found an update for last 7 months. Did you find a way to update your tomcat7 to lastest security patches?

Thank you,


Manfred Hampl (m-hampl) said : #5

What vulnerability are you talking about?
https://tomcat.apache.org/security-7.html lists CVE-2014-7810 as the latest vulnerability with a known fix in Apache Tomcat 7.x

This has been fixed in tomcat7 for Ubuntu 14.04 (7.0.52-1ubuntu0.3)

You have to be aware, that Ubuntu's strategy is not to upgrade the whole package (e.g. to 7.0.59), but to backport the bug fix to the older version (making it from 7.0.52-1 into 7.0.52-1ubuntu0.3)

DougPendergras (dpendergras) said : #6

@Manfred Hampl (m-hampl)

Thank you for explaining that the Ubuntu Tomcat package name (7.0.52-1ubuntu0.3) will not reflect the same version format as the Tomcat packages (Apache Tomcat 7.0.59). I did not understand that.

Can you help with this problem?

Provide an answer of your own, or ask Dylan Bijnagte for more information if necessary.

To post a message you must log in.