[ https://issues.apache.org/jira/browse/OFBIZ-6752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15038441#comment-15038441 ]
Jacques Le Roux commented on OFBIZ-6752: ---------------------------------------- While checking with ["OWASP Dependency Check"|https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61331040] it reported 3 possible vulnerabilities with using Tomcat 7.0.65. Actually none of CVE-2009-2696, CVE-2007-5461 and CVE-2002-0493 concern our usage of Tomcat. So we were safe from them with Tomcat to 7.0.64 and are safe with Tomcat to 7.0.65. I even believe Tomcat 7.0.64 was safe from CVE-2013-2185, but as I said this is disputed and not clear so I preferred updating. See my message in dev ML about upgrading to Tomcat 8... http://markmail.org/message/tgdzfcpjhkcmig7d ... > Updates Tomcat to 7.0.65 > ------------------------ > > Key: OFBIZ-6752 > URL: https://issues.apache.org/jira/browse/OFBIZ-6752 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Fix For: 14.12.01, 13.07.03, Upcoming Branch > > > Though disputed CVE-2013-2185 indicates a possible vulnerabilty with > jasper.jar. Better safe than sorry: I will backport to all concerned branches > (R14 and R13) -- This message was sent by Atlassian JIRA (v6.3.4#6332)