Thank you for the confirmation! Much appreciated.

On Tue, Oct 1, 2019 at 12:46 PM Mark Thomas <ma...@apache.org> wrote:

> > Martin,
> >
> > On 10/1/19 10:35, Martin Cocaro wrote:
> >> Apache Tomcat Users Team,
> >
> >> The purpose of this email is to request information regarding
> >> Apache Tomcat CVE-2018-8037
> >> <https://www.securityfocus.com/bid/104894/info> possibly affecting
> >> version 8.0.X (particularly 8.0.53). The CVE was made public on
> >> 22-July-2018, after being privately disclosed on 16-Jun-2018. The
> >> EOL date of Tomcat 8.0.X was 30-Jun-2018.
> >
> >> Reaching out to you to get confirmation on whether the CVE is
> >> confirmed to not affect the version 8.0.X or if the CVE was not
> >> tested against such version at all as its EOL date preceded the
> >> public disclosure.
> >
> >> Your help on this matter would be greatly appreciated.
> >
> > That source you are reading (securityfocus) lists all of the
> > vulnerable versions. If you look at the Mitre report, you'll see the
> > same thing, except that they provide a *range* of versions instead of
> > just the individual ones affected.
> >
> > No Tomcat 8.0.x versions appear in the list.
> >
> > I haven't personally tested Tomcat 8.0.x against any proof-of-concept
> > code, but I do not believe it if/was vulnerable to this CVE.
>
> I've just been reading through the internal discussion for
> CVE-2018-8037. The conclusion was that neither 8.0.x nor 7.0.x was
> vulnerable.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to