Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Why Atlassian choose to support only older version of tomcat ?

Issa
Issa November 26, 2014

Hi,

I'm just in the process to upgrade my Bamboo instance to version 5.7.1. Checked and found that Atlassian only supports the bundled Tomcat which is version 7.0.40.

How does Atlassian explain this choice when there are security issues (and fixes) on version 7.0.40 ?
Just take a look at [http://tomcat.apache.org/security-7.html] and you can see that it is a bad idea to run 7.0.40.

 

--

Issa

Answer
Watch
Like # people like this
481 views

2 answers

1 vote
Krystian Brazulewicz
Krystian Brazulewicz
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 26, 2014

Issa

Check Oliver Pereira's response at the end of https://jira.atlassian.com/browse/BAM-15127. You should be able to download Bamboo WAR and install in the most recent Tomcat.

We might also bundle most recent Tomcat in next Bamboo release. Please watch that issue for future updates.

View More Comments
Norman Abramovitz
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 26, 2014

Probably not a major issue, but if you run into problems with Bamboo, Atlassian support may not help you out.

Like
Issa
Issa November 26, 2014

Exactly, I'm not having a problem with finding Bamboo binaries, but more on the support policy of Atlassian on its products. If you supports Bamboo 5.7.1 when it only runs on 7.0.40, what do you do about the security fixes made my Apache on Tomcat ? Can someone at Atlassian answer this question ?

Like
Reply
0 votes
Norman Abramovitz
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 26, 2014

Please see https://confluence.atlassian.com/display/BAMBOO/Bamboo+security+advisories for Bamboo Security Advisories and patches.

View More Comments
Issa
Issa November 26, 2014

I'm not sure Atlassian patches handle Tomcat security issues...

Like
Norman Abramovitz
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 30, 2014

Since they package tomcat internally with their products in some installation packages, they would need to since users are unaware. They would normally not fix things in tomcat, but they can provide an patch or a maintenance release if the security flaw would affect an Atlassian installation. If you read their Security Bugfix Policy they would be required to if the exploit would affect the customer system or atlassian products as per their policy. The issue is just because there are exploits it may not be possible to exploit through Atlassian product installations, so Atlassian would not need to provide a fix. This point is where contention arises. This is another reason to follow Atlassian recommended installation steps. If you have a non-standard installation, they could say fix your installation instead of providing a patch or a release. https://www.atlassian.com/security/secpol With Bamboo, they would provide a maintenance release based upon the current security bugfix policy.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
TAGS
AUG Leaders

Atlassian Community Events

    See all events