[
https://issues.apache.org/jira/browse/OFBIZ-6752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15038441#comment-15038441
]
Jacques Le Roux commented on OFBIZ-6752:
----------------------------------------
While checking with ["OWASP Dependency
Check"|https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61331040]
it reported 3 possible vulnerabilities with using Tomcat 7.0.65. Actually none
of CVE-2009-2696, CVE-2007-5461 and CVE-2002-0493 concern our usage of Tomcat.
So we were safe from them with Tomcat to 7.0.64 and are safe with Tomcat to
7.0.65. I even believe Tomcat 7.0.64 was safe from CVE-2013-2185, but as I said
this is disputed and not clear so I preferred updating. See my message in dev
ML about upgrading to Tomcat 8... http://markmail.org/message/tgdzfcpjhkcmig7d
...
> Updates Tomcat to 7.0.65
> ------------------------
>
> Key: OFBIZ-6752
> URL: https://issues.apache.org/jira/browse/OFBIZ-6752
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, 13.07.03, Upcoming Branch
>
>
> Though disputed CVE-2013-2185 indicates a possible vulnerabilty with
> jasper.jar. Better safe than sorry: I will backport to all concerned branches
> (R14 and R13)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
