On 14/08/2020 12:24, Nic P wrote: > Mark - per NIST this CVEis listed as impact to tomcat > https://nvd.nist.gov/vuln/detail/CVE-2016-5388 which is how we came to find > evidence for audit on the version where this was remediated.
As per that description: <quote>...this is not a CVE ID for a vulnerability.</quote> Mark > > On Fri, Aug 14, 2020 at 4:15 AM Mark Thomas <ma...@apache.org> wrote: > >> On 13/08/2020 20:52, Nic P wrote: >>> Hi >>> >>> Can anyone help me understand why some CVE's show in the changelog but >> not >>> on the security report? >>> >>> Example is CVE-2016-5388 which shows as fixed in 8.0.37 changelog but >>> missing on the security report. >>> >>> This has come up in a audit and hard to explain which is the System of >>> Record information for security fixes. >>> >>> >> https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37 >>> >>> https://tomcat.apache.org/tomcat-8.0-doc/changelog.html >> >> Because CVE-2016-5388 is not an Apache Tomcat vulnerability. The >> changelog refers to the mitigation applied to Apache Tomcat to protect >> users if they happen to be using vulnerable CGI executables. >> >> Mark >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
