<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Just to update the list on the progress in Sweden with tomcat5:</div><div><br></div><div>The short version is that when using tomcat5 xalan 2.6 (not later) was explicitly needed as a runtime dependency for tomcat. </div><div><br></div><div>Should anyone using Tomcat5 come across errors such as:</div><div><div>- javax.xml.transform.TransformerFactoryConfigurationError: Provider org.apache.xalan.processor.TransformerFactoryImpl not found</div><div>- java.lang.NoClassDefFoundError: org/apache/xml/serializer/OutputPropertiesFactory</div></div><div><br></div><div>Please read these which describes the steps needed</div><div> <a href="http://doookstechstuff.blogspot.dk/2010/04/how-to-fix-tomcat5-on-rhel5.html">http://doookstechstuff.blogspot.dk/2010/04/how-to-fix-tomcat5-on-rhel5.html</a></div><div> <a href="http://www.expertaya.com/tag/tomcat5/">http://www.expertaya.com/tag/tomcat5/</a></div><div><br></div><div>They are up and running thanks to Mickael and colleagues.</div><div><br></div><div>Cheers,</div><div>Tim</div><div><br></div><br><div><div>On Sep 23, 2013, at 5:19 PM, Laura Russell wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 12px; font-family: Verdana, sans-serif; "><div><div><div>I'll suggest to those institutions that they upgrade to newer version of CentOs. I know of three that are using CentOs 5. Two of the three host other things on those servers besides IPT so they may be less inclined to change.</div><div><div><br></div><div>Laura Russell</div><div>VertNet Programmer</div><div>VertNet</div><div>KU Biodiversity Institute</div><div>1345 Jayhawk Blvd.</div><div>Dyche Hall, Room 606</div><div>Lawrence, KS 66045</div><div><br></div><div>Phone: +01 785 864-4681</div><div>Fax: +01 785 864-5335</div><div><br></div><div>email: <a href="mailto:larussell@vertnet.org">larussell@vertnet.org</a></div><div>email: <a href="mailto:larussell@ku.edu">larussell@ku.edu</a></div><div><br></div><div>Skype: laura.anne.russell</div><div>Gchat: <a href="mailto:larussell@vertnet.org">larussell@vertnet.org</a></div><div><br></div><div>url: <a href="http://www.vertnet.org">www.vertnet.org</a></div><br></div></div></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> "Tim Robertson [GBIF]" <<a href="mailto:trobertson@gbif.org">trobertson@gbif.org</a>><br><span style="font-weight:bold">Date: </span> Monday, September 23, 2013 10:10 AM<br><span style="font-weight:bold">To: </span> Laura Russell <<a href="mailto:larussell@vertnet.org">larussell@vertnet.org</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:IPT@lists.gbif.org">IPT@lists.gbif.org</a> list" <<a href="mailto:ipt@lists.gbif.org">ipt@lists.gbif.org</a>>, Mickael Graf <<a href="mailto:Mickael.Graf@nrm.se">Mickael.Graf@nrm.se</a>>, Anders Telenius <<a href="mailto:Anders.Telenius@nrm.se">Anders.Telenius@nrm.se</a>><br><span style="font-weight:bold">Subject: </span> Re: [IPT] Security update<br></div><div><br></div><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
Hi Laura
<div><br></div><div>We use CentOS for the majority of our servers, but we're on CentOS 6.3 or 6.4 depending on where the server is in its management cycle - 6.x has been out since mid 2011. I'd suggest aiming to follow updates once or twice a year if possible. CentOS is
serving us very well.</div><div><br></div><div>Since we're talking about upgrades, security etc - at the GBIF secretariat also prioritizing Java 7 upgrades across the board as 6 is no longer supported by Oracle (meaning it could be a security risk as issues will most likely no longer be fixed - I stop
short of saying "won't be", but Oracle are saying it is now end of life: <a href="http://www.oracle.com/technetwork/java/eol-135779.html">http://www.oracle.com/technetwork/java/eol-135779.html</a>). The IPT will remain backwardly compatible for Java 6 though.</div><div><br></div><div>Cheers,</div><div>Tim</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br><div><div>On Sep 23, 2013, at 5:00 PM, Laura Russell wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 12px; font-family: Verdana, sans-serif; "><div><div><div>I'd be interested in knowing the outcomes of the CentOs patching as several of the institutions I support or advise on their IPTs use CentOs. I'm just getting ready to email all of them now to get to work on this.</div><div><div><br></div><div>Laura Russell</div><div>VertNet Programmer</div><div>VertNet</div><div>KU Biodiversity Institute</div><div>1345 Jayhawk Blvd.</div><div>Dyche Hall, Room 606</div><div>Lawrence, KS 66045</div><div><br></div><div>Phone: +01 785 864-4681</div><div>Fax: +01 785 864-5335</div><div><br></div><div>email: <a href="mailto:larussell@vertnet.org">larussell@vertnet.org</a></div><div>email: <a href="mailto:larussell@ku.edu">larussell@ku.edu</a></div><div><br></div><div>Skype: laura.anne.russell</div><div>Gchat: <a href="mailto:larussell@vertnet.org">larussell@vertnet.org</a></div><div><br></div><div>url: <a href="http://www.vertnet.org/">www.vertnet.org</a></div><br></div></div></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span>"Tim Robertson [GBIF]" <<a href="mailto:trobertson@gbif.org">trobertson@gbif.org</a>><br><span style="font-weight:bold">Date: </span>Monday, September 23, 2013 9:53 AM<br><span style="font-weight:bold">To: </span>Mickael Graf <<a href="mailto:Mickael.Graf@nrm.se">Mickael.Graf@nrm.se</a>><br><span style="font-weight:bold">Cc: </span>"<a href="mailto:IPT@lists.gbif.org">IPT@lists.gbif.org</a> list" <<a href="mailto:ipt@lists.gbif.org">ipt@lists.gbif.org</a>>, Anders Telenius <<a href="mailto:Anders.Telenius@nrm.se">Anders.Telenius@nrm.se</a>><br><span style="font-weight:bold">Subject: </span>Re: [IPT] Security update<br></div><div><br></div><div><base href="x-msg://981/"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
Hej Mickael,
<div><br></div><div>Thanks for taking action.<br><div><br></div><div>Can you share your catalina logs please? This could be well a conflict in dependencies or similar. We'll help diagnose. If you would rather not CC everyone, please contact Kyle and myself directly and CC only those you are happy to discuss details with.</div><div><br></div><div>As an aside - those OS and tomcat versions are quite ancient. There could well be other security holes in your system for other reasons, so I'd suggest scheduling some upgrades for safety reasons when it fits with your other deployments - most likely
you are aware of this though.</div><div><br></div><div>Cheers,</div><div>Tim</div><div><br></div><div><br><div><div>On Sep 23, 2013, at 4:42 PM, Mickael Graf wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div ocsi="0" fpstyle="1" style="word-wrap: break-word; font-family: Helvetica; "><div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0, 0); font-size: 10pt; ">
Dear all,<br><br>
I went through the all steps and now, although I have a nice $tomcat/webapps/ipt directory I have a not so nice error 404 while trying to access the app for completing the installation. "<u>The requested resource () is not available.</u>" it says...<u><span class="Apple-converted-space"> </span><br><br></u>I don't know if the reason is my old centos 5/tomcat 5 or an error in ipt.war, but I would bet on the latter.<br><br>
Cheers<br>
Mickaël<u><br></u><br><div style="font-family: 'Times New Roman'; color: rgb(0, 0, 0); font-size: 16px; "><hr tabindex="-1"><div id="divRpF981832" style="direction: ltr; "><font color="#000000" face="Tahoma" size="2"><b>From:</b><span class="Apple-converted-space"> </span><a href="mailto:ipt-bounces@lists.gbif.org">ipt-bounces@lists.gbif.org</a> [<a href="mailto:ipt-bounces@lists.gbif.org">ipt-bounces@lists.gbif.org</a>]
on behalf of Kyle Braak [GBIF] [<a href="mailto:kbraak@gbif.org">kbraak@gbif.org</a>]<br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, September 23, 2013 12:31<br><b>To:</b><span class="Apple-converted-space"> </span><a href="mailto:IPT@lists.gbif.org">IPT@lists.gbif.org</a> list<br><b>Subject:</b><span class="Apple-converted-space"> </span>[IPT] Security update<br></font><br></div><div></div><div>Dear IPT users,<br><br>
This is an important message. <br><br>
IPT administrators should update their IPTs to the new version which has a security update and was released yesterday: <a href="https://code.google.com/p/gbif-providertoolkit/" target="_blank">https://code.google.com/p/gbif-providertoolkit/</a><br><br>
The security update fixes critical vulnerabilities that have been discovered in the Apache Struts web framework, which the IPT uses. <br><br>
According to <a href="http://www.computerworld.com/s/article/9241639/Hackers_target_servers_running_Apache_Struts_apps?source=CTWNLE_nlt_security_2013-08-15" target="_blank">this article</a>, these Struts vulnerabilities allow hackers to break into a server.
It goes on to say that hackers are actively exploiting these vulnerabilities.<br><br>
Simple instructions on how to update your IPT are below. If you don't have time to update your IPT immediately, I would advise you to take it offline until you can.<br><br>
You can refer to <a href="https://www.mandiant.com/blog/responding-attacks-apache-struts2/" target="_blank">this article</a>, which describes how to determine if you have been attacked.
<div><br></div><div>Please email the IPT list directly for more help upgrading your installation.<br><br>
Sincerely,<br><br>
Kyle, on behalf of the IPT development team and the GBIF Secretariat<br><br>
Instructions how to update IPT in Tomcat:<br><div><ol><li>Please download: <a href="https://gbif-providertoolkit.googlecode.com/files/ipt-2.0.5-security-update-1.war" target="_blank">https://gbif-providertoolkit.googlecode.com/files/ipt-2.0.5-security-update-1.war</a></li><li>Backup IPT data directory somewhere safe</li><li>Remove ipt.war from $tomcat/webapps/ (some seconds later, the deployed /ipt folder should automatically delete)</li><li>Once ipt.war and /ipt have been removed from /webapps - stop Tomcat</li><li>Add new version to /webapps renaming it from ipt-2.0.5-security-update-1.war to ipt.war</li><li>Start Tomcat</li><li>In a browser open the application (if it doesn't appear at first, try restarting Tomcat once more).</li><li>When prompted for IPT data directory, enter same location as existing IPT data directory </li><li>Press continue, hopefully installation succeeds.</li></ol></div></div><div><br></div></div></div></div>
_______________________________________________<br>
IPT mailing list<br><a href="mailto:IPT@lists.gbif.org">IPT@lists.gbif.org</a><br><a href="http://lists.gbif.org/mailman/listinfo/ipt">http://lists.gbif.org/mailman/listinfo/ipt</a></div></blockquote></div><br></div></div></div></div></span></div></blockquote></div><br></div></div></div></span></div>
</blockquote></div><br></body></html>