Get product advice from experts

Ask a question →

Join a community group

Find a group →

Advance your career with learning paths

Take a free class →

Earn badges and rewards

Connect and share ideas at events

See the calendar →

Community
Products
Jira
Questions
Apache Tomcat upgrade: JIRA 5.1 Standalone

Apache Tomcat upgrade: JIRA 5.1 Standalone

JIRA 5.1.8 standalone is bundled with Apache Tomcat 6.0.35. Due to the security vulnerabilities that have been identified in that version, we need to upgrade Tomcat to the latest possible version of Tomcat 6, which is currently 6.0.36 .

What's the possibility of upgrading Tomcat which is bundled into JIRA?
Is it a better option to set up a WAR instead of the standalone (for better manageability of upgrades)?

Thanks in advance!

--

Shaakunthala

2 answers

1 accepted

1 vote

Answer accepted

You've ruled out a full upgrade, so the answer is "option 2".

You could try to upgrade the Tomcat around your Jira, but frankly, it's a monumental pain in the neck. You don't know what files Atlassian have modified to get the Tomcat into such a simple friendly "deploy and forget" format.

In fact, it's not that many, but you still have to find every single one of them, check it's validity in your new Tomcat and merge the changes in. I've started to do it a couple of times, and realised that "download war, deploy in whatever Tomcat I feel like" is a tiny fraction of the work you'd need to do to upgrade a Tomcat around a Jira. I estimated a couple of weeks the last time it came up in a meeting, and was able to deploy a test Tomcat and new Jira-war inside it before the end of the meeting.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

1 vote

Why not just update your JIRA, by doing so, you will get a tested comination, including Tomcat 7.0.29 (JIRA 5.2.5)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Upgrading to 5.2.5 is a big milestone for us, as we have so many customizations and in-house built plugins to test with the upgraded version. For the moment we look for the possibility of minimizing the security vulnerabilities.

Even if we upgrade, the recommended Tomcat 7 version is 7.0.32. So again we're coming to the same question.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Fine, is should be relatively straight forward to take the JIRA5.2.5 deployment structure, remove the atlassian-jira/ tree and transplant your current JIRA version atlassian-jira/ in its place. I would think any (unlikley) incompatibilities would show up quickly?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

In addition to Andy's answer, you may like to refer the discussion on the similar question here.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Let me simplify the security team's recommendation further:

If we are to live with Tomcat 6, then it should be Tomcat 6.0.36
If we are to live with Tomcat 7, then it should be Tomcat 7.0.32 (not 7.0.29)

In other terms, despite of whether we are going to have either 5.1.8 or 5.2.5, we do have to upgrade the Tomcat. In that case, I'm not sure if transplanting the application is the correct resolution.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS

Community showcase