On 13/08/2020 20:52, Nic P wrote: > Hi > > Can anyone help me understand why some CVE's show in the changelog but not > on the security report? > > Example is CVE-2016-5388 which shows as fixed in 8.0.37 changelog but > missing on the security report. > > This has come up in a audit and hard to explain which is the System of > Record information for security fixes. > > https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37 > > https://tomcat.apache.org/tomcat-8.0-doc/changelog.html
Because CVE-2016-5388 is not an Apache Tomcat vulnerability. The changelog refers to the mitigation applied to Apache Tomcat to protect users if they happen to be using vulnerable CGI executables. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
