On 16/03/17 14:25, David Dillard wrote: > Apologies if this is a duplicate, but I don't see this message in the > archive so I'm resending. > > > Hi, > > I was recently reviewing Tomcat vulnerabilities and I noticed that it > appears that several CVEs for Tomcat going back to at least September > of last year have not been published by Mitre. A few examples: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745 > > Does anyone know why they haven't been published?
At some point last year Mitre stopped populating their database from information posted to bugtraq. Prior to that, population was sometimes timely, sometime not. There was no advance warning of this that I am aware of. I have a little more insight now the ASF is a CNA but not much. > And more > importantly, does anyone know how to get these published? The process has changed and now the projects need to submit this themselves. See http://www.apache.org/security/committers.html step 15.f) The ASF was provided with a list of CVEs that were issued in the time between Mitre stopped populating their database from bugtraq and Mitre informed the ASF of the new process (from memory this covers a period of months). The ASF has provided the necessary data. When it is loaded is up to Mitre. Anyone can submit CVE information via the process indicated above. > We use some tools to help us identify vulnerable versions based off > of CVEs published in the NVD and not having them be published for so > long is causing some problems. You can try submitting them yourselves. Turnaround seems to be fairly quick. At least CVE-2016-8747 is listed which I submitted a few days ago. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
