> Martin, > > On 10/1/19 10:35, Martin Cocaro wrote: >> Apache Tomcat Users Team, > >> The purpose of this email is to request information regarding >> Apache Tomcat CVE-2018-8037 >> <https://www.securityfocus.com/bid/104894/info> possibly affecting >> version 8.0.X (particularly 8.0.53). The CVE was made public on >> 22-July-2018, after being privately disclosed on 16-Jun-2018. The >> EOL date of Tomcat 8.0.X was 30-Jun-2018. > >> Reaching out to you to get confirmation on whether the CVE is >> confirmed to not affect the version 8.0.X or if the CVE was not >> tested against such version at all as its EOL date preceded the >> public disclosure. > >> Your help on this matter would be greatly appreciated. > > That source you are reading (securityfocus) lists all of the > vulnerable versions. If you look at the Mitre report, you'll see the > same thing, except that they provide a *range* of versions instead of > just the individual ones affected. > > No Tomcat 8.0.x versions appear in the list. > > I haven't personally tested Tomcat 8.0.x against any proof-of-concept > code, but I do not believe it if/was vulnerable to this CVE.
I've just been reading through the internal discussion for CVE-2018-8037. The conclusion was that neither 8.0.x nor 7.0.x was vulnerable. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org