Re: CVE reporting discrepencies
On 14/08/2020 12:24, Nic P wrote: > Mark - per NIST this CVEis listed as impact to tomcat > https://nvd.nist.gov/vuln/detail/CVE-2016-5388 which is how we came to find > evidence for audit on the version where this was remediated. As per that description: ...this is not a CVE ID for a vulnerability. Mark > > On Fri, Aug 14, 2020 at 4:15 AM Mark Thomas wrote: > >> On 13/08/2020 20:52, Nic P wrote: >>> Hi >>> >>> Can anyone help me understand why some CVE's show in the changelog but >> not >>> on the security report? >>> >>> Example is CVE-2016-5388 which shows as fixed in 8.0.37 changelog but >>> missing on the security report. >>> >>> This has come up in a audit and hard to explain which is the System of >>> Record information for security fixes. >>> >>> >> https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37 >>> >>> https://tomcat.apache.org/tomcat-8.0-doc/changelog.html >> >> Because CVE-2016-5388 is not an Apache Tomcat vulnerability. The >> changelog refers to the mitigation applied to Apache Tomcat to protect >> users if they happen to be using vulnerable CGI executables. >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CVE reporting discrepencies
Mark - per NIST this CVEis listed as impact to tomcat https://nvd.nist.gov/vuln/detail/CVE-2016-5388 which is how we came to find evidence for audit on the version where this was remediated. On Fri, Aug 14, 2020 at 4:15 AM Mark Thomas wrote: > On 13/08/2020 20:52, Nic P wrote: > > Hi > > > > Can anyone help me understand why some CVE's show in the changelog but > not > > on the security report? > > > > Example is CVE-2016-5388 which shows as fixed in 8.0.37 changelog but > > missing on the security report. > > > > This has come up in a audit and hard to explain which is the System of > > Record information for security fixes. > > > > > https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37 > > > > https://tomcat.apache.org/tomcat-8.0-doc/changelog.html > > Because CVE-2016-5388 is not an Apache Tomcat vulnerability. The > changelog refers to the mitigation applied to Apache Tomcat to protect > users if they happen to be using vulnerable CGI executables. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: CVE reporting discrepencies
On 13/08/2020 20:52, Nic P wrote: > Hi > > Can anyone help me understand why some CVE's show in the changelog but not > on the security report? > > Example is CVE-2016-5388 which shows as fixed in 8.0.37 changelog but > missing on the security report. > > This has come up in a audit and hard to explain which is the System of > Record information for security fixes. > > https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37 > > https://tomcat.apache.org/tomcat-8.0-doc/changelog.html Because CVE-2016-5388 is not an Apache Tomcat vulnerability. The changelog refers to the mitigation applied to Apache Tomcat to protect users if they happen to be using vulnerable CGI executables. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CVE reporting discrepencies
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nic, On 8/13/20 15:52, Nic P wrote: > Hi > > Can anyone help me understand why some CVE's show in the changelog > but not on the security report? > > Example is CVE-2016-5388 which shows as fixed in 8.0.37 changelog > but missing on the security report. > > This has come up in a audit and hard to explain which is the System > of Record information for security fixes. > > https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5 _and_8.0.37 > > https://tomcat.apache.org/tomcat-8.0-doc/changelog.html This just looks like an oversight to me. The changelog and security reports are usually updated retrospectively after the release has been out for a bit so there are no "surprises". It looks like this item didn't get put into both reports. Do you have any other instances of this kind of thing? Thanks, - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl81ux8ACgkQHPApP6U8 pFg9fBAAgsb2zRMVzAJH7bJUWykdzZUMMc1IVCLECCP5DY1id/8v8nXQHlMs+pAs Kz+mZahDfGSH1m0saCJsRPtMhyNMVE72jiZ37q48+a5GJXfsHyQUHt/TkCmne4Ql UsQWJddb/zBkhtsqwEL9POa0gF8cx+Y1U5liBUvIXlYLV5g7y7RBCz4iJFH8MtBn fB5q8wiyft+I1s2+8KcLrgj21xap2mTBAl3c+DlKcGh5pJbn68K+ABHwZPOSPWhs pNXrsmG/CYtR3QPQOhwSMHAG1NP85dHIJe3CclRlXp9AGtTqFsBRlsDcV/QKrbiz JEIxkOjLfgu3PQUpwung5Ql8yL+BPmynEaJBqTRr0HBUCC6I2oyPQZ9Ik/DvSxTt QHBY90GYoTBR5U1RRIzizmu4FOy1lQIeTsUwBq4HfYu1hPtEhfUB/WlCDgRSOsxQ LzE3ER0/CSVO4VlRoqp8CBwCWzn2LT91LRWmP6jFgKx+Typ5CgnVmLOSoWgrnx93 o6wQxRpE2gyUkiLjqyXo6IKnqTPOz9WZJW30jDPbiVYIsqMV61SQhzUD5OxK1ZC7 bFyfm3BcdihIafzygGzlIIfDpAuGsC3XpOM1C7UnYcNFox5oidgITiw7bSqVqalu y4sOw3dV9PJpAgad4xaxV2sCSrJnUhptmCmyIngnWdqR0a6UD1Q= =eo27 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
CVE reporting discrepencies
Hi Can anyone help me understand why some CVE's show in the changelog but not on the security report? Example is CVE-2016-5388 which shows as fixed in 8.0.37 changelog but missing on the security report. This has come up in a audit and hard to explain which is the System of Record information for security fixes. https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37 https://tomcat.apache.org/tomcat-8.0-doc/changelog.html Thanks!