> Martin,
> 
> On 10/1/19 10:35, Martin Cocaro wrote:
>> Apache Tomcat Users Team,
> 
>> The purpose of this email is to request information regarding
>> Apache Tomcat CVE-2018-8037
>> <https://www.securityfocus.com/bid/104894/info> possibly affecting
>> version 8.0.X (particularly 8.0.53). The CVE was made public on
>> 22-July-2018, after being privately disclosed on 16-Jun-2018. The
>> EOL date of Tomcat 8.0.X was 30-Jun-2018.
> 
>> Reaching out to you to get confirmation on whether the CVE is
>> confirmed to not affect the version 8.0.X or if the CVE was not
>> tested against such version at all as its EOL date preceded the
>> public disclosure.
> 
>> Your help on this matter would be greatly appreciated.
> 
> That source you are reading (securityfocus) lists all of the
> vulnerable versions. If you look at the Mitre report, you'll see the
> same thing, except that they provide a *range* of versions instead of
> just the individual ones affected.
> 
> No Tomcat 8.0.x versions appear in the list.
> 
> I haven't personally tested Tomcat 8.0.x against any proof-of-concept
> code, but I do not believe it if/was vulnerable to this CVE.

I've just been reading through the internal discussion for
CVE-2018-8037. The conclusion was that neither 8.0.x nor 7.0.x was
vulnerable.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to