Tomcat version 6.0.28 security vulnerability issues

As we are using apache tomcat server version 6.0.28.

[Problem Statement]
While using tomcat version 6.0.28 we have faced few security vulnerability issues in this version 6.0.28.



We want to continue using this version 6.0.28 and want to merge those fixes(security vulnerability issues) to 6.0.28,So what is best and easiest way to make these changes.
Pleas reply ASAP.

Why do you not want to upgrade to the latest Tomcat 6 version?

Due to my application stability on 6.0.28 version,I can not update my web application to latest version 6.0.x/7.0.x,Can you please provide or assist me any workaround as per my requirement?

What do you mean by "application stability", exactly? How do know you it's worse on, say, 6.0.43 compared to 6.0.28?

Also, which security issue are you trying to guard against specifically? There have been many fixes since 6.0.28, what makes this one special?

My client does not want to update tomcat version(due to risk of regresison).

Below are the issues list:
1) CVE-202-2733,CVE-2012-5887,CVE-2012-5885,CVE-2012-5886
2) CVE-2011-3375
3) CVE-2011-4858,CVE-2012-0022
4) CVE-2011-5063,CVE-2011-5064,CVE-2011-1184,CVE-2011-5062
5) CVE-2011-2204,CVE-2011-2526,CVE-2011-2481,CVE-2011-2729
6) CVE-2011-0013,CVE-2011-4172
7) CVE-2010-3718

So in this case when, i do not want to update tomcat version 6.0.28 from any latest stable(6.0.x/7.0.x) version.then what is best possible way to remove these security issues?

That's a lot of issues. If you patch Tomcat that extensively yourself, you will have to do a lot more thorough testing as if you were using a release version of it, so the reasoning for not wanting to upgrade to the latest TC 6 or TC 7 is flawed. What's more, TC is a very stable product, and within its release lines the chance of a regression is quite small. I advise to move to the latest TC 7 version; the amount of work you will have to do to adapt any apps is likely to be minuscule.

(I'm assuming that you have checked that there are, in fact, patches for Tomcat for all those issues.)

Yes,i agree with you.

I have also checked that there are patches for those issues,but i dont know how i can use those patches and merge those into my tomcat version 6.0.28(i mean what is the way to find these patches changes and merging those changes into my TC 6.0.28 ).

I think you missed the point about any patched version of yours needing a lot more testing than using a ready-made release version. You need to tell the client that patching is the wrong approach (and also likely to result in a less secure version due to problems introduced during the patching).

Yes your opinion is right.
Thanks for prompt reply/suggestions,May be i get back to you later on,if i need more help on this topic:)