[SciFed] Tomcat 6 requirement for Shib IDP

Dhivakaran Muruganantham dmuruganantham at lbl.gov
Mon Jan 30 22:35:33 GMT 2012

Hi Nate,
Here is the response from Redhat Developer, who is responsible for Tomcat5
release on Redhat 5x systems.
Is it possible for the Shib Development Team to revisit this issue??


From: dknox <dknox at redhat.com>
To: Dhivakaran Muruganantham <dmuruganantham at lbl.gov>
Subject: Re: Tomcat5 package on Redhat EL 5

Hi Dhiva,
As far as I can tell, the bug you reference was part of the patch for
CVE-2007-5333 (rhbz 427780) that has been applied since
RHEL-5/tomcat5.5.23-0jpp.9.el5. The most recent RHEL-5 release is
tomcat5-5.5.23-0jpp.27.el5. Note the patch introduces a system
property "org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH"
that ensures quotes are escaped. The default value is true. I
recommend the customer use the default which should be adequate for
both version 1 and version 2 cookie parsing.

The fix is already in tomcat6/RHEL6 as it was originaly patched in
tomcat-6.0.16. RHEL-6 is at 6.0.24

Don't know where the customer got the idea that it wouldn't be fixed
in tomcat5. Also don't know anything about Shib IDP, so it's difficult
to answer your question succinctly. Tomcat5-5.5.23 uses servlet 2.4,
so if that is the only requirement, it should work.

hope this helps,
-- david




On Thu, Jan 26, 2012 at 1:56 PM, Aaron Roots <aaron.roots at deakin.edu.au>wrote:

>  Also if you can get to Centos6 or Redhat6 – tomcat6 is provided in the
> base repos. We are currently running this version without issue.
>  Cheers
> Aaron
>   From: Dhivakaran Muruganantham <dmuruganantham at lbl.gov>
> Reply-To: Shib Users <users at shibboleth.net>
> Date: Wed, 25 Jan 2012 15:32:42 -0800
> To: Shib Users <users at shibboleth.net>
> Subject: Re: [SciFed] Tomcat 6 requirement for Shib IDP
>  Thanks Peter. Useful to know and I am going to try it on Dev machines.
> We do use other repos along with RHN. The problem is that jpackage.repo
> became out sync.
>  Forwarded the Tomcat5 bug that Nate mentioned to the Redhat Developer
> responsible for Tomcat5 release.
> Here is the reply...
> >>>>
> Hi Dhiva,
> I recall that bug. I can take a closer look Thursday.
> cheers,
> -- david
> <<<<<
> On Wed, Jan 25, 2012 at 2:34 PM, Peter Schober <peter.schober at univie.ac.at
> > wrote:
>> * Dhivakaran Muruganantham <dmuruganantham at lbl.gov> [2012-01-25 19:36]:
>> > I don't think i am the only one, interested in running CentOS/Redhat
>> > platform.
>> > Doing a 'yum' install using the Standard repo is always preferred
>> method,
>> > instead of downloading a generic package. I think.
>>  The best (e.g. most flexible, least cruft) S/RPM packages for Tomcat
>> I've seen are the ones provided by Jason Brittain. They used to be on
>> his personal website and seemingly have found a new home at
>> http://code.google.com/p/webdroid-tomcat-package/
>> For `yum install` you'd need to import the packages into a repo of
>> your own. We use our RHN Satellite but createrepo (or others) will do
>> just fine.
>> -peter
>>  --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>   -- To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120130/cfd84294/attachment.html 

More information about the users mailing list