Geronimo
  1. Geronimo
  2. GERONIMO-4245

Upgrade to Tomcat 6.0.18 to pickup latest security fixes

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0, 2.0.1, 2.0.2, 2.0.3, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.2
    • Fix Version/s: 2.0.3, 2.1.3, 2.2
    • Component/s: dependencies
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      Need to upgrade to Tomcat 6.0.18 to pickup the latest security fixes, as listed on the following Tomcat webpage - http://tomcat.apache.org/security-6.html

        Activity

        Hide
        Donald Woods added a comment -

        Trunk (2.2), branches/2.1 (2.1.3-SNAPSHOT) and branches/2.0 (2.0.3-SNAPSHOT) have all been upgraded.

        Show
        Donald Woods added a comment - Trunk (2.2), branches/2.1 (2.1.3-SNAPSHOT) and branches/2.0 (2.0.3-SNAPSHOT) have all been upgraded.
        Hide
        Donald Woods added a comment -

        Trunk (2.2-SNAPSHOT) upgraded to Tomcat 6.0.18 with r686143 and r686146.

        Show
        Donald Woods added a comment - Trunk (2.2-SNAPSHOT) upgraded to Tomcat 6.0.18 with r686143 and r686146.
        Hide
        Donald Woods added a comment -

        I've run into several JSP files in our build (mainly the monitor webapp) that require code changes to work with Tomcat 6.0.18, due to tightened code around the JSP 2.0 spec in Jasper during the Tomcat 6.0.17 release.

        The build errors look something like -
        org.apache.jasper.JasperException: file:/Users/drwoods/geronimo/server-trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp(168,168) Attribute value rs.getString("server_id") is quoted with " which must be escaped when used within the value
        at org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandler.java:40)

        There are several places in the portlet code where we have -
        value="<%=rs.getString("server_id")%>"
        which had to be changed to
        value='<%=rs.getString("server_id")%>'

        The full text of the Tomcat Jasper change can be found at -
        https://issues.apache.org/bugzilla/show_bug.cgi?id=45015
        with the basic explanation being -

        According to JSP 2.0 specification (chapter 1.7 page 72,73)

        This code is illegal:
        <mytags:tag value="<%= "hi!" %>" />

        Instead the correct sentence would be:
        <mytags:tag value='<%= "hi!" %>' />
        <mytags:tag value="<%= \"hi!\" %>" />
        <mytags:tag value='<%= \"name\" %>' />
        ...

        Show
        Donald Woods added a comment - I've run into several JSP files in our build (mainly the monitor webapp) that require code changes to work with Tomcat 6.0.18, due to tightened code around the JSP 2.0 spec in Jasper during the Tomcat 6.0.17 release. The build errors look something like - org.apache.jasper.JasperException: file:/Users/drwoods/geronimo/server-trunk/plugins/monitoring/mconsole-war/src/main/webapp/WEB-INF/view/monitoringEditView.jsp(168,168 ) Attribute value rs.getString("server_id") is quoted with " which must be escaped when used within the value at org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandler.java:40) There are several places in the portlet code where we have - value="<%=rs.getString("server_id")%>" which had to be changed to value='<%=rs.getString("server_id")%>' The full text of the Tomcat Jasper change can be found at - https://issues.apache.org/bugzilla/show_bug.cgi?id=45015 with the basic explanation being - According to JSP 2.0 specification (chapter 1.7 page 72,73) This code is illegal: <mytags:tag value="<%= "hi!" %>" /> Instead the correct sentence would be: <mytags:tag value='<%= "hi!" %>' /> <mytags:tag value="<%= \"hi!\" %>" /> <mytags:tag value='<%= \"name\" %>' /> ...

          People

          • Assignee:
            Donald Woods
            Reporter:
            Donald Woods
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development