-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Martin,
On 10/1/19 12:15, Martin Cocaro wrote: > Thank you Chris for the answer. The EOL date and its policy made > me wonder if the CVE was tested it against that version. > > Is there any place I can get a POC version of the CVE test case so > that I can do the test myself against version 8.0.53? Possibly, but we won't be distributing any PoC code, here. Why not simply plan to migrate to Tomcat 8.5? The process should be fairly smooth. - -chris > On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz < > [email protected]> wrote: > > Martin, > > On 10/1/19 10:35, Martin Cocaro wrote: >>>> Apache Tomcat Users Team, >>>> >>>> The purpose of this email is to request information >>>> regarding Apache Tomcat CVE-2018-8037 >>>> <https://www.securityfocus.com/bid/104894/info> possibly >>>> affecting version 8.0.X (particularly 8.0.53). The CVE was >>>> made public on 22-July-2018, after being privately disclosed >>>> on 16-Jun-2018. The EOL date of Tomcat 8.0.X was >>>> 30-Jun-2018. >>>> >>>> Reaching out to you to get confirmation on whether the CVE >>>> is confirmed to not affect the version 8.0.X or if the CVE >>>> was not tested against such version at all as its EOL date >>>> preceded the public disclosure. >>>> >>>> Your help on this matter would be greatly appreciated. > > That source you are reading (securityfocus) lists all of the > vulnerable versions. If you look at the Mitre report, you'll see > the same thing, except that they provide a *range* of versions > instead of just the individual ones affected. > > No Tomcat 8.0.x versions appear in the list. > > I haven't personally tested Tomcat 8.0.x against any > proof-of-concept code, but I do not believe it if/was vulnerable to > this CVE. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TguwACgkQHPApP6U8 pFh2ZhAAgCmtJ6pX5pnuirfhc7lGP+1wCYVnpXlDHWBfDuaBBbzo6qgDyaS/bIOQ xHAiROr2zCRmwkMVtWu+8Sxrs3uYpO4lorlQ7ehSTzQzfFjD00KIyxafrIE+IyRo 6EyQpRrWQFNa4jF5EQgJCmO+UCVjCxzPNKCl/qjJCwz4/q5FWKougEqzMTpol3g1 x9+dU9yKDi1AUwpQLQI9XY/WYqCknwag/E/sTmZ77nLTZvXP+pwJ1ocACq/Y+jYe a2TpRs7EY6xPtpexOKLhqUKbbh4tbGIinVElLoCOYlvCox3rGfOQi99Dr2oOe4IN Gm7D2qPYlGkJAEr5lO7ipF0UviojzWJju5Y/YgpUAEvFwYThnymSxbMOq5nPWfuv MRXxt1oRv96UJTWLI2kmbVFigA1VJKxkiCZQBK0pdYHxpnUbXJgxaOOqNuIunM3S bh/zWN+DfUsNVRqXLekuizFpaVRw7v5KwPOmzsNr8jSUVCwKRRYYCuwnQonicRds DghLpGHx4vQbC1KvzRbKZ4Hwx3f4XqXQesMHVS9NkC2PYR1hrrpxYlzLjIAEzvg4 UfSOTsF3+wwxbYT4HabCQbVrprd+huLctHTZONy/XZec4qUszTFBPwdlNc4578Q7 SQrKZpyvfRn8KPyTvMfkODCLvuZzOg3FNTt9ek/VYhLzWjOKNSc= =RjHm -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
