It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Why Atlassian choose to support only older version of tomcat ?

Hi,

I'm just in the process to upgrade my Bamboo instance to version 5.7.1. Checked and found that Atlassian only supports the bundled Tomcat which is version 7.0.40.

How does Atlassian explain this choice when there are security issues (and fixes) on version 7.0.40 ?
Just take a look at [http://tomcat.apache.org/security-7.html] and you can see that it is a bad idea to run 7.0.40.

 

--

Issa

2 answers

1 vote

Issa

Check Oliver Pereira's response at the end of https://jira.atlassian.com/browse/BAM-15127. You should be able to download Bamboo WAR and install in the most recent Tomcat.

We might also bundle most recent Tomcat in next Bamboo release. Please watch that issue for future updates.

Probably not a major issue, but if you run into problems with Bamboo, Atlassian support may not help you out.

Exactly, I'm not having a problem with finding Bamboo binaries, but more on the support policy of Atlassian on its products. If you supports Bamboo 5.7.1 when it only runs on 7.0.40, what do you do about the security fixes made my Apache on Tomcat ? Can someone at Atlassian answer this question ?

I'm not sure Atlassian patches handle Tomcat security issues...

Since they package tomcat internally with their products in some installation packages, they would need to since users are unaware. They would normally not fix things in tomcat, but they can provide an patch or a maintenance release if the security flaw would affect an Atlassian installation. If you read their Security Bugfix Policy they would be required to if the exploit would affect the customer system or atlassian products as per their policy. The issue is just because there are exploits it may not be possible to exploit through Atlassian product installations, so Atlassian would not need to provide a fix. This point is where contention arises. This is another reason to follow Atlassian recommended installation steps. If you have a non-standard installation, they could say fix your installation instead of providing a patch or a release. https://www.atlassian.com/security/secpol With Bamboo, they would provide a maintenance release based upon the current security bugfix policy.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bamboo

Unable to add or edit Bitbucket Cloud repository in Bamboo

On 31 May, a GDPR-related change went live in the Bitbucket Cloud API that resulted in users not being able to create or edit Bitbucket Cloud Linked repositories in Bamboo. This API update removed t...

439 views 2 6
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you