Excuse my potential noobness as I could be way off the mark here and don't mean to be alarmist.
Our confluence 4.1 installation runs off JRE 1.6.0 update 26 (Not sure if bundled with previous confluence or 4.1). Oracle have posted two critical security patches for Java SE (JDK & JRE) since then. Here is one:
Could confluence be an attack vector or at risk? Can I update the JRE version without breaking confluence 4.1 on my linux box? Should I update? If I update confluence to 4.2, with the new JRE be bundled with it?
basically : YES you should
Why ? First of all: ANYthing, facing the internet, can be a risk. If confluence is reachable from the internet, people can try to break in to wreck havoc. The decision to "not update" the securityrelevant updates is yours alone. Its the classical dilemma of updating vs. breaking something.
IF you want to update, you really really really really should have a clone of your productions site on a VM or other, do the update there, run your regressiontests (a checklist with all important things, that MUST work for your site to be operable, including tiny but important macros like for instance the Adaptavist Theme Builder macro "import" on my site). If all checks out well enough to let customers see it, update. Otherwise, fix it ASAP.
"Why the hell, its only the "backwater Poodle Club" homepage, there is no important data on it?" Because even then, they could use your system to spread malware to innocent surfers , who visit your site or distribute illegal content through your server, making you pay for their bandwith.
So Java and Linux securityupdates - Yes, but test it.
Plugin-Updates inside Confluence (via the Plugin Manager) - Yes, and test it
About Updating from 4.1 to 4.2: check the releasenotes, wether securityrelevant bugfixes are included in 4.2, which are not included in updates for 4.1 (single plugins for instance). That might be security related, but usually the versionchange would be triggered by business- or featuretreasons. Read and judge and test,test,test.
Updating linux: Thats a matter of trust. Do you trust your distribution to push out welltested security relevat updates or not. If not - do you want to test your complete system anytime you update linux ? Or woudl you rather move to another linux (no niche player, one of the major ones: ubuntu/debian, redhat, suse, (and others out there))
Regarding your last question: For a production site, you should not use the "bundled" package. Set it up via EAR deployment. Do this for following reasons:
* Updating Tomcat, Java, Database and Linux should be done independently from updating confluence
* thats it : Imagine you hold back an important security fix in tomcat or java just because the "checklists" macro does not run on Confluence 4.5.27 like you need it - and they break into your system. That can not happen as fast, if you use your linux-update-funtions to update tomcat and java.
As far as I understand, the recent Oracle's security advisories are concerned with client-side vulnerabilities. They are about what can happen when you ran an applet in your browser from a malicious web site. I am not 100% sure - there are not many details in those advisories.
What you should update first is Confluence itself (unrelated to the Oracle advisory) - there are constant security improvements in slmost all releases. Then you need to update Java on your desktop computer (as a result of the advisory). Only then you are in a position to start thinking about upgrading server JRE, middleware, and OS.
It is best if you keep track of our advisories at http://confluence.atlassian.com/display/DOC/Confluence+Security
and subscribe to the technical alerts in http://my.atlassian.com to receive all updates about any security fixes.
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs