-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martin,

On 10/1/19 10:35, Martin Cocaro wrote:
> Apache Tomcat Users Team,
>
> The purpose of this email is to request information regarding
> Apache Tomcat CVE-2018-8037
> <https://www.securityfocus.com/bid/104894/info> possibly affecting
> version 8.0.X (particularly 8.0.53). The CVE was made public on
> 22-July-2018, after being privately disclosed on 16-Jun-2018. The
> EOL date of Tomcat 8.0.X was 30-Jun-2018.
>
> Reaching out to you to get confirmation on whether the CVE is
> confirmed to not affect the version 8.0.X or if the CVE was not
> tested against such version at all as its EOL date preceded the
> public disclosure.
>
> Your help on this matter would be greatly appreciated.

That source you are reading (securityfocus) lists all of the
vulnerable versions. If you look at the Mitre report, you'll see the
same thing, except that they provide a *range* of versions instead of
just the individual ones affected.

No Tomcat 8.0.x versions appear in the list.

I haven't personally tested Tomcat 8.0.x against any proof-of-concept
code, but I do not believe it if/was vulnerable to this CVE.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TdBoACgkQHPApP6U8
pFgGRBAAnQ9R4NpHSQUQ+/rfo6Vlf9kJTF9QgnxzrYavUBfFgg97SbfttLYsaN63
+MzyciyLRepi1iESqllHi16R8Yn9JhRZzkhqSue3t7IkybkcKlOJDJXjptqJn6cb
Hp9CooAUlU1xt1zfA6w+r3/loXYuj+C1153dw9OqC725N0LsDxG6xvPD5tWhBwP7
3eOMCVzZq/ikVuXeALauhQFnOKywLfOQZWwktHEsX2gmXy9oV+tMwAoljjTqp7JR
atbUg4EuWpoV6pPTTKSmAEfLXvYcyBY9pcsgEaJJHhdgBqdppi9MP/vqHlXPuMXr
Ps2tkTQJ3NC3UZMKe0MHy6TzbsFzDIVdfRL8kJ6lMSQzufYQF4pHsJyBF8cbZjAT
LUT5YffGRMLc5F5oZd5KagVNfL6OZqX3GxaJ9lum9tOTLvlyO4F6ekfhX/mXjhzN
w62cJrdIy6ZjVlGsGaQYizotbkIAiw2VkvOC8OZgd61qZPmGg74uiPTwuY67bCPH
BjFgXqmQiOILkIGRZVyoevn7wZ4oGixp1GU5O3k1mCI2pnpyKN2M36RvHkgWtewc
+8TGMEUxRIV4kiJg8Q5v6OCK3puZI7ujCn2eKpbHls8tBMNvsmd5ql8dxzPF+zNb
H8+xADEJhD+zNtqQBhWFMGnU3tMtqttZMk7chKMv7gWG0sK5v5w=
=mT+v
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to