Upgrade to latest tomcat/ JRE or stick with what's provided by LTS?

Question

Running a production web server with Ubuntu 12.04 which ships Tomcat 7.0.26. Should I care about updating the tomcat installation to latest 7.0.42 version or should I stick with what's provided? If I stick then am I not vulnerable to threats & bugs in 7.0.26 version ? I've been suggested to always use the latest minor version for things like JRE 7, Tomcat 7 etc, does it not hold good here ?

Should I be installing the latest version by downloading the tar & untar-ing it instead of using apt-get install to download from ubuntu repositories an older version? How would I be updating those installations later then ?

Edit:

I just have single webapp running on a single server. While I don't have any specific feature requirements for Tomcat or JRE that force me to use a particular newer version. I'm asking this just to ensure that if I'm running an older version supplied by ubuntu(installed from through apt-get install), am I safe in terms of security & quality of software? Do these software packages will be updated to a newer minor version later while I m sticking to a particular LTS version ?

Answer 1

If you installed Tomcat with apt-get install and have not messed with your sources.list file too much, then you are secure by just letting Ubuntu update regularly.

Apparently the Tomcat7 package is not updated very often, so you might want to check the changelog to see whether they have a history of updating the package as soon as a security vulnerability is discovered:

http://changelogs.ubuntu.com/changelogs/pool/universe/t/tomcat7/tomcat7_7.0.26-1ubuntu1.2/changelog

Answer 2

Q. Should I care about updating the tomcat installation to latest 7.0.42 version or should I stick with what's provided? A. Yes, you should update/upgrade.

Q. If I stick then am I not vulnerable to threats & bugs in 7.0.26 version? A. Yes, you're vulnerable to the bugs in old versions. But, you'd get the security updates & patches automatically as they're released.

Q. I've been suggested to always use the latest minor version for things like JRE 7, Tomcat 7 etc, does it not hold good here? A. It's best practice to use the latest stable version.

Q. Should I be installing the latest version by downloading the tar & untar-ing it instead of using apt-get install to download from ubuntu repositories an older version? How would I be updating those installations later then? A. It all depends on whether the latest (stable) version is in the Ubuntu Reps. If it's there, get it from Rep; else build from the source. The 'Software Updater' would take care of future updates if the source PPA/Rep is added in sources.list. If these sources aren't added, it would be updated to any later version in the Reps.

Answer 3

I'm asking this just to ensure that if I'm running an older version supplied by ubuntu(installed from through apt-get install), am I safe in terms of security & quality of software?

By default, now Ubuntu includes backports. Meaning? That security fixes are delivered to you fast and steady if they are fixed upstream. These add up to the fact that the security repository should be in your sources.list too. Hence, installing from repositories will keep your system security while you keep it updated.

Ubuntu by default checks for updates each ~24 hrs and install security upgrades immediately.

Do these software packages will be updated to a newer minor version later while I m sticking to a particular LTS version ?

Here your are contradicting yourself. You said that you don't have to stick with a particular version of Tomcat, yet you are fretting if a minor upgrade get released. LTS are for people that prefers stability over innovation. If you keep your system upgraded and follow the standard security methods, you will be fine.

But it is unclear that how ubuntu updates the tomcat because the minor version never changes, it always stays on tomcat 7.0.26 with ubuntu 12.04.. !?

If you check the package versions instead apt-cache policy tomcat7, you will notice that there the version change. You should also check the changelog and notice the precise-security updates. These packages gets installed in your system immediately they are available. The internal version of Tomcat will not change, since:

1. Ubuntu is applying a minor patch that solves an specific issue.
2. Features are not introduced in backports, only fixes.
3. As features are not introduced and some code depends of an specific version and down/up to work, these are not affected.