Hello, We're running a productive Application von JBoss 3.2.3 with Tomcat 4.1.29 for a while now. Since the Server should be partially opened to the Internet now - I have the task to define security-specs for this server. Of course make sure all Win-Patches are in place, update the Apache is mandatory... JDK will also be updated to the latest bugfix release 1.4.2_12 But is it reasonable to update the old JBoss 3.2.3 and/or Tomcat to the latest 3.2.8 SP1 release for security reasons? The App itself is running fine and I would like to avoid touching a running system if it's not reasonable Second - if we better upgrade the App-Server - is there a best practice to do so? Thanks for the help... View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3963978#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...