dhis2-devs team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

Thanks Jason.  To make matters more complicated it looks like ubuntu
maintains its own patch release numbering of tomcat.  So for example it
looks like the problem first raised in Zim after
upgrading 7.0.52-1ubuntu0.7 to 7.0.52-1ubuntu0.8.

They can try to rewind that upgrade to see if good behaviour is restored.

Then I believe you can hold back further upgrades to certain packages
with apt-mark hold <package-name>.  We'll see.

How painful is it to patch dhis2 older versions?  I was looking (without
success) for relevant github commit.



On 1 February 2017 at 11:54, Jason Pickering <jason.p.pickering@xxxxxxxxx>
wrote:

> Hi Bob,
>
> https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.35/
>
> is known to work in this situation for me. Lars suggested this version and
> it worked for us.
>
> We had the exact same thing happen on another instance, which basically
> "broke" dhis2-tools, so for the time being, we are using this specific
> version of Tomcat as a local install to work around the problem until that
> instance can be upgraded.
>
> Specifically, it was this commit  (thanks to BAO for finding it)
>
> https://github.com/apache/tomcat70/commit/a3d7be9e35505f85fc01f5f36451c7
> 10f9c9bbcc
>
> which introduced this, which seems to be Tomcat 7.0.73, so something
> earlier than that should work as well. I am not sure which commit this was
> in Tomcat 8.
>
> Hope that helps.
>
> Regards,
> Jason
>
>
> On Wed, Feb 1, 2017 at 6:06 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
> wrote:
>
>> Hi Lars and all
>>
>> I can see this is going to cause quite a bit of chaos with large country
>> installations where they are not able to be too agile with upgrading.
>>
>> Do you have more precise info on the exact tomcat version numbers?  We
>> just saw in Zim (DHIS 2.22) that the package manager automatically upgraded
>> to 7.0.52 and they started seeing these problems.  So maybe it is that
>> version?
>>
>> They will have to try and come up with a process of downgrading tomcat
>> and holding that version via the package manager as a short term measure
>> while they plan any dhis2 upgrade process.
>>
>> So getting the exact tomcat versions where the URL checking was
>> introduced will be helpful if you have them.
>>
>> On 7 January 2017 at 12:56, Lars Helge Øverland <lars@xxxxxxxxx> wrote:
>>
>>> Hi all,
>>>
>>> the latest builds of tomcat (the servlet container mostly used with DHIS
>>> 2) has tightened up validation of characters in URLs, so that only
>>> characters defined as safe per RFC 1738
>>> <https://www.ietf.org/rfc/rfc1738.txt> are allowed. Our apps had some
>>> cases of un-escaped use of the pipe character which was causing tomcat to
>>> occasionally return 400 bad request.
>>>
>>> We have patched this now in 2.24, 2.25 and master.
>>>
>>> Bottom line: If you plan to upgrade to very latest Tomcat 7, 8 or 8.5
>>> builds on your server, make sure to upgrade to latest 2.24 or 2.25 of DHIS
>>> 2.
>>>
>>>
>>> regards,
>>>
>>> Lars
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Lars Helge Øverland
>>> Lead developer, DHIS 2
>>> University of Oslo
>>> Skype: larshelgeoverland
>>> lars@xxxxxxxxx
>>> http://www.dhis2.org <https://www.dhis2.org/>
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-users
>>> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-users
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
>
> --
> Jason P. Pickering
> email: jason.p.pickering@xxxxxxxxx
> tel:+46764147049 <+46%2076%20414%2070%2049>
>