-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Martin,

On 10/1/19 12:15, Martin Cocaro wrote:
> Thank you Chris for the answer. The EOL date and its policy made
> me wonder if the CVE was tested it against that version.
>
> Is there any place I can get a POC version of the CVE test case so
> that I can do the test myself against version 8.0.53?
Possibly, but we won't be distributing any PoC code, here.

Why not simply plan to migrate to Tomcat 8.5? The process should be
fairly smooth.

- -chris

> On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Martin,
>
> On 10/1/19 10:35, Martin Cocaro wrote:
>>>> Apache Tomcat Users Team,
>>>>
>>>> The purpose of this email is to request information
>>>> regarding Apache Tomcat CVE-2018-8037
>>>> <https://www.securityfocus.com/bid/104894/info> possibly
>>>> affecting version 8.0.X (particularly 8.0.53). The CVE was
>>>> made public on 22-July-2018, after being privately disclosed
>>>> on 16-Jun-2018. The EOL date of Tomcat 8.0.X was
>>>> 30-Jun-2018.
>>>>
>>>> Reaching out to you to get confirmation on whether the CVE
>>>> is confirmed to not affect the version 8.0.X or if the CVE
>>>> was not tested against such version at all as its EOL date
>>>> preceded the public disclosure.
>>>>
>>>> Your help on this matter would be greatly appreciated.
>
> That source you are reading (securityfocus) lists all of the
> vulnerable versions. If you look at the Mitre report, you'll see
> the same thing, except that they provide a *range* of versions
> instead of just the individual ones affected.
>
> No Tomcat 8.0.x versions appear in the list.
>
> I haven't personally tested Tomcat 8.0.x against any
> proof-of-concept code, but I do not believe it if/was vulnerable to
> this CVE.
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TguwACgkQHPApP6U8
pFh2ZhAAgCmtJ6pX5pnuirfhc7lGP+1wCYVnpXlDHWBfDuaBBbzo6qgDyaS/bIOQ
xHAiROr2zCRmwkMVtWu+8Sxrs3uYpO4lorlQ7ehSTzQzfFjD00KIyxafrIE+IyRo
6EyQpRrWQFNa4jF5EQgJCmO+UCVjCxzPNKCl/qjJCwz4/q5FWKougEqzMTpol3g1
x9+dU9yKDi1AUwpQLQI9XY/WYqCknwag/E/sTmZ77nLTZvXP+pwJ1ocACq/Y+jYe
a2TpRs7EY6xPtpexOKLhqUKbbh4tbGIinVElLoCOYlvCox3rGfOQi99Dr2oOe4IN
Gm7D2qPYlGkJAEr5lO7ipF0UviojzWJju5Y/YgpUAEvFwYThnymSxbMOq5nPWfuv
MRXxt1oRv96UJTWLI2kmbVFigA1VJKxkiCZQBK0pdYHxpnUbXJgxaOOqNuIunM3S
bh/zWN+DfUsNVRqXLekuizFpaVRw7v5KwPOmzsNr8jSUVCwKRRYYCuwnQonicRds
DghLpGHx4vQbC1KvzRbKZ4Hwx3f4XqXQesMHVS9NkC2PYR1hrrpxYlzLjIAEzvg4
UfSOTsF3+wwxbYT4HabCQbVrprd+huLctHTZONy/XZec4qUszTFBPwdlNc4578Q7
SQrKZpyvfRn8KPyTvMfkODCLvuZzOg3FNTt9ek/VYhLzWjOKNSc=
=RjHm
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to