dhis2-users team mailing list archive
-
dhis2-users team
-
Mailing list archive
-
Message #12449
Re: [Dhis2-devs] heads up on tomcat versions and dhis
It "should" work indeed. I haven't tested out downgrading the tomcat
related packages yet. It might not be so straightforward. Also of course
it is a bit of a concern as all of the tomcat upgrades on a "normally"
configured ubuntu system would be security upgrades. So we would be asking
users to run with known vulnerabilities which I am a little uneasy about.
What we are saying effectively is that dhis2 v2.23 and earlier has a flaw
which requires it to be run on a tomcat with known vulnerabilities.
Effectively this translates to a vulnerability (in fact a bundle) in 2.23
for which the real remedy is to upgrade to 2.24. Downgrading tomcat is a
distant second best workaround.
I still have to scratch my head a bit to figure out and test a neat/quick
way to achieve this with dhis2-tools where it might be difficult to do a
quick upgrade to 2.24.
On 1 February 2017 at 13:05, Jason Pickering <jason.p.pickering@xxxxxxxxx>
wrote:
> Lars had advised me this would not be easy, as this fix would need to be
> made in several apps.
>
> I did not have time to figure out exactly which Tomcat package would work,
> but your approach sounds reasonable to me. We took a temporary route and
> used one we knew would work until the upgrade to at least 2.24 is feasible.
>
> On Wed, Feb 1, 2017, 18:38 Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
>
>> Thanks Jason. To make matters more complicated it looks like ubuntu
>> maintains its own patch release numbering of tomcat. So for example it
>> looks like the problem first raised in Zim after
>> upgrading 7.0.52-1ubuntu0.7 to 7.0.52-1ubuntu0.8.
>>
>> They can try to rewind that upgrade to see if good behaviour is restored.
>>
>> Then I believe you can hold back further upgrades to certain packages
>> with apt-mark hold <package-name>. We'll see.
>>
>> How painful is it to patch dhis2 older versions? I was looking (without
>> success) for relevant github commit.
>>
>>
>>
>> On 1 February 2017 at 11:54, Jason Pickering <jason.p.pickering@xxxxxxxxx
>> > wrote:
>>
>> Hi Bob,
>>
>> https://archive.apache.org/dist/tomcat/tomcat-8/v8.0.35/
>>
>> is known to work in this situation for me. Lars suggested this version
>> and it worked for us.
>>
>> We had the exact same thing happen on another instance, which basically
>> "broke" dhis2-tools, so for the time being, we are using this specific
>> version of Tomcat as a local install to work around the problem until that
>> instance can be upgraded.
>>
>> Specifically, it was this commit (thanks to BAO for finding it)
>>
>> https://github.com/apache/tomcat70/commit/a3d7be9e35505f85fc01f5f36451c7
>> 10f9c9bbcc
>>
>> which introduced this, which seems to be Tomcat 7.0.73, so something
>> earlier than that should work as well. I am not sure which commit this was
>> in Tomcat 8.
>>
>> Hope that helps.
>>
>> Regards,
>> Jason
>>
>>
>> On Wed, Feb 1, 2017 at 6:06 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>> wrote:
>>
>> Hi Lars and all
>>
>> I can see this is going to cause quite a bit of chaos with large country
>> installations where they are not able to be too agile with upgrading.
>>
>> Do you have more precise info on the exact tomcat version numbers? We
>> just saw in Zim (DHIS 2.22) that the package manager automatically upgraded
>> to 7.0.52 and they started seeing these problems. So maybe it is that
>> version?
>>
>> They will have to try and come up with a process of downgrading tomcat
>> and holding that version via the package manager as a short term measure
>> while they plan any dhis2 upgrade process.
>>
>> So getting the exact tomcat versions where the URL checking was
>> introduced will be helpful if you have them.
>>
>> On 7 January 2017 at 12:56, Lars Helge Øverland <lars@xxxxxxxxx> wrote:
>>
>> Hi all,
>>
>> the latest builds of tomcat (the servlet container mostly used with DHIS
>> 2) has tightened up validation of characters in URLs, so that only
>> characters defined as safe per RFC 1738
>> <https://www.ietf.org/rfc/rfc1738.txt> are allowed. Our apps had some
>> cases of un-escaped use of the pipe character which was causing tomcat to
>> occasionally return 400 bad request.
>>
>> We have patched this now in 2.24, 2.25 and master.
>>
>> Bottom line: If you plan to upgrade to very latest Tomcat 7, 8 or 8.5
>> builds on your server, make sure to upgrade to latest 2.24 or 2.25 of DHIS
>> 2.
>>
>>
>> regards,
>>
>> Lars
>>
>>
>>
>>
>>
>>
>> --
>> Lars Helge Øverland
>> Lead developer, DHIS 2
>> University of Oslo
>> Skype: larshelgeoverland
>> lars@xxxxxxxxx
>> http://www.dhis2.org <https://www.dhis2.org/>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-users
>> Post to : dhis2-users@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-users
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>>
>>
>> --
>> Jason P. Pickering
>> email: jason.p.pickering@xxxxxxxxx
>> tel:+46764147049 <+46%2076%20414%2070%2049>
>>
>>
>>
References