Do I have to update JRE or Confluence for security?

Hello Morgan,

basically : YES you should

Why ? First of all: ANYthing, facing the internet, can be a risk. If confluence is reachable from the internet, people can try to break in to wreck havoc. The decision to "not update" the securityrelevant updates is yours alone. Its the classical dilemma of updating vs. breaking something.

IF you want to update, you really really really really should have a clone of your productions site on a VM or other, do the update there, run your regressiontests (a checklist with all important things, that MUST work for your site to be operable, including tiny but important macros like for instance the Adaptavist Theme Builder macro "import" on my site). If all checks out well enough to let customers see it, update. Otherwise, fix it ASAP.

"Why the hell, its only the "backwater Poodle Club" homepage, there is no important data on it?" Because even then, they could use your system to spread malware to innocent surfers , who visit your site or distribute illegal content through your server, making you pay for their bandwith.

So Java and Linux securityupdates - Yes, but test it.

Plugin-Updates inside Confluence (via the Plugin Manager) - Yes, and test it

About Updating from 4.1 to 4.2: check the releasenotes, wether securityrelevant bugfixes are included in 4.2, which are not included in updates for 4.1 (single plugins for instance). That might be security related, but usually the versionchange would be triggered by business- or featuretreasons. Read and judge and test,test,test.

Updating linux: Thats a matter of trust. Do you trust your distribution to push out welltested security relevat updates or not. If not - do you want to test your complete system anytime you update linux ? Or woudl you rather move to another linux (no niche player, one of the major ones: ubuntu/debian, redhat, suse, (and others out there))

Regarding your last question: For a production site, you should not use the "bundled" package. Set it up via EAR deployment. Do this for following reasons:

* Updating Tomcat, Java, Database and Linux should be done independently from updating confluence

* thats it : Imagine you hold back an important security fix in tomcat or java just because the "checklists" macro does not run on Confluence 4.5.27 like you need it - and they break into your system. That can not happen as fast, if you use your linux-update-funtions to update tomcat and java.

Regards, Josch

Morgan,

As far as I understand, the recent Oracle's security advisories are concerned with client-side vulnerabilities. They are about what can happen when you ran an applet in your browser from a malicious web site. I am not 100% sure - there are not many details in those advisories.

What you should update first is Confluence itself (unrelated to the Oracle advisory) - there are constant security improvements in slmost all releases. Then you need to update Java on your desktop computer (as a result of the advisory). Only then you are in a position to start thinking about upgrading server JRE, middleware, and OS.

Regards,

Vitaly