3

Running a production web server with Ubuntu 12.04 which ships Tomcat 7.0.26. Should I care about updating the tomcat installation to latest 7.0.42 version or should I stick with what's provided? If I stick then am I not vulnerable to threats & bugs in 7.0.26 version ? I've been suggested to always use the latest minor version for things like JRE 7, Tomcat 7 etc, does it not hold good here ?

Should I be installing the latest version by downloading the tar & untar-ing it instead of using apt-get install to download from ubuntu repositories an older version? How would I be updating those installations later then ?

Edit:

I just have single webapp running on a single server. While I don't have any specific feature requirements for Tomcat or JRE that force me to use a particular newer version. I'm asking this just to ensure that if I'm running an older version supplied by ubuntu(installed from through apt-get install), am I safe in terms of security & quality of software? Do these software packages will be updated to a newer minor version later while I m sticking to a particular LTS version ?

Braiam
  • 67,791
  • 32
  • 179
  • 269
Rajat Gupta
  • 521

3 Answers3

3

If you installed Tomcat with apt-get install and have not messed with your sources.list file too much, then you are secure by just letting Ubuntu update regularly.

Apparently the Tomcat7 package is not updated very often, so you might want to check the changelog to see whether they have a history of updating the package as soon as a security vulnerability is discovered:

http://changelogs.ubuntu.com/changelogs/pool/universe/t/tomcat7/tomcat7_7.0.26-1ubuntu1.2/changelog

Nicolas Raoul
  • 11,603
3

Q. Should I care about updating the tomcat installation to latest 7.0.42 version or should I stick with what's provided? A. Yes, you should update/upgrade.

Q. If I stick then am I not vulnerable to threats & bugs in 7.0.26 version? A. Yes, you're vulnerable to the bugs in old versions. But, you'd get the security updates & patches automatically as they're released.

Q. I've been suggested to always use the latest minor version for things like JRE 7, Tomcat 7 etc, does it not hold good here? A. It's best practice to use the latest stable version.

Q. Should I be installing the latest version by downloading the tar & untar-ing it instead of using apt-get install to download from ubuntu repositories an older version? How would I be updating those installations later then? A. It all depends on whether the latest (stable) version is in the Ubuntu Reps. If it's there, get it from Rep; else build from the source. The 'Software Updater' would take care of future updates if the source PPA/Rep is added in sources.list. If these sources aren't added, it would be updated to any later version in the Reps.

TomKat
  • 3,878
  • as said by @Braiam in his answer, the apt-get installations receive security updates every 24 hrs or when you do apt-get update && apt-get upgrade but how would I be updating this manual installation with security patches so frequently. I don't know, how to do that ? – Rajat Gupta Sep 28 '13 at 03:59
  • @user01 The system would do that for you. I've installed a lot of packages from source, and the system updates them automatically. To be sure, just add the source rep to 'Software & Updates' list ('Updates' tab). Please check this out to know how to add sources: https://help.ubuntu.com/community/SourcesList If you don't feel confident of the process (although there's no reason to feel so), just get a .deb file from the website of the packages reqd, or stick to what Ubuntu has for default. In either case, the system would update the package if the source is added to the list I mentioned before. – TomKat Sep 28 '13 at 04:55
  • I have server installation without a GUI so there is no 'Software & Updates' or Updates tab. However that doesn't matter I can directly edit sources.list. But even I dont think there any official repositories available to install/upgrade tomcat, are there any you know of? – Rajat Gupta Sep 28 '13 at 05:31
  • 1
    @user01 tomcat is included in the repositories, just install sudo apt-get install tomcat7 and you will get all the updates, patches, etc in your system. Ubuntu server also includes their own update process. Again, if you are a "newbie" you should stick with Ubuntu's default package and don't mess with the system. A bad installed software will be worse that the packages well installed and updated from the repositories. – Braiam Sep 28 '13 at 05:57
  • @Braiam: yes that makes sense! – Rajat Gupta Sep 28 '13 at 06:00
  • But it is unclear that how ubuntu updates the tomcat because the minor version never changes, it always stays on tomcat 7.0.26 with ubuntu 12.04.. !? – Rajat Gupta Sep 28 '13 at 06:04
  • 2
    As @Braiam said (and I too said in last comment), stick to what's in the Ubuntu reps, if there is a newer version in future, it'd be updated (provided that Canonical has tested it to be safe for your env). Don't worry, you'll keep getting the security updates & patches though. Rest assured of that. Most packages in Ubuntu reps are a couple of minor versions behind the latest official (from the developers), but you always get the updates. – TomKat Sep 28 '13 at 06:17
  • @user01 check my updated answer. – Braiam Sep 28 '13 at 14:10
2

I'm asking this just to ensure that if I'm running an older version supplied by ubuntu(installed from through apt-get install), am I safe in terms of security & quality of software?

By default, now Ubuntu includes backports. Meaning? That security fixes are delivered to you fast and steady if they are fixed upstream. These add up to the fact that the security repository should be in your sources.list too. Hence, installing from repositories will keep your system security while you keep it updated.

Ubuntu by default checks for updates each ~24 hrs and install security upgrades immediately.

Do these software packages will be updated to a newer minor version later while I m sticking to a particular LTS version ?

Here your are contradicting yourself. You said that you don't have to stick with a particular version of Tomcat, yet you are fretting if a minor upgrade get released. LTS are for people that prefers stability over innovation. If you keep your system upgraded and follow the standard security methods, you will be fine.

But it is unclear that how ubuntu updates the tomcat because the minor version never changes, it always stays on tomcat 7.0.26 with ubuntu 12.04.. !?

If you check the package versions instead apt-cache policy tomcat7, you will notice that there the version change. You should also check the changelog and notice the precise-security updates. These packages gets installed in your system immediately they are available. The internal version of Tomcat will not change, since:

  1. Ubuntu is applying a minor patch that solves an specific issue.
  2. Features are not introduced in backports, only fixes.
  3. As features are not introduced and some code depends of an specific version and down/up to work, these are not affected.
Braiam
  • 67,791
  • 32
  • 179
  • 269
  • Could you please also suggest about installing JRE7 for this server? I need only Oracle JRE but that's not there in ubuntu repositories. There is well trusted ppa webupd8but that provides Oracle JDK, not just JRE. Could you suggest how to grab JRE? Should I go for a manual tar download, unpackage & move to proper directory. Although this is easier but what about the security updates? How would I apply security patches to this installation? I don't want to go with any untrusted ppa or install a package that comes with lot of extras that I don't need for server. Thanks for your kind attention! – Rajat Gupta Sep 28 '13 at 18:26
  • 1
    @user01 http://askubuntu.com/q/55848/169736 BTW, I tell you again, steer clear of the PPA's and messing with your repositories if you look for stability. Also, take into account that Oracle and Ubuntu don't play well together, I would stick with the OpenJDK and OpenJRE proyect instead. – Braiam Sep 28 '13 at 18:53
  • I followed the JRE one[http://askubuntu.com/questions/56104/how-can-i-install-sun-oracles-proprietary-java-6-7-jre-or-jdk] posted by same person. Btw I was asking about how do I keep this installation updated with latest security updates? What's the way? [FYI: I didn't make a choice for Oracle JRE, I use Cassandra DB & they recommend that] – Rajat Gupta Sep 28 '13 at 20:31
  • @user01 sorry, but I read up to 3 sentences and without tl;dr is hard to read comments. and I think you are looking for this one http://askubuntu.com/a/183868/169736 in that case. Also, don't jumble a bunch of questions in comments, for that ask another question ;). – Braiam Sep 28 '13 at 21:20