No, only 8.x and 9.x. I assume that Sonatype has done some investigation though. Do you have any additional context I can share with them to inform their decision?
*Donal Anglin* On Tue, Oct 17, 2023 at 6:23 PM Mark Thomas <ma...@apache.org> wrote: > 17 Oct 2023 16:51:38 Donal Anglin <donal.ang...@equifax.com.INVALID>: > > > Hey all, > > > > Sonatype are of the opinion that CVE-2023-42794 is also applicable to > > the > > 10.x and 11.x streams of Tomcat and issued the notice: > > The Sonatype Security Research team discovered that this vulnerability > > is > > also present and remains unfixed in the 10.x and 11.x branches of > > Apache > > Tomcat. > > > > I assume they are basing that on the 10.1.x branch missing this commit: > > > > > https://protect2.fireeye.com/v1/url?k=31323334-501d2dca-313219e2-454455534531-9e00ea7318970d9b&q=1&e=cff597e0-4029-499f-9554-5de1a3f6fa96&u=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommit%2F43b882b8a577684498ab9b8851aa0427216784f7 > > > > > https://protect2.fireeye.com/v1/url?k=31323334-501d2dca-313219e2-454455534531-f714d7f03a3fde4c&q=1&e=cff597e0-4029-499f-9554-5de1a3f6fa96&u=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommits%2F10.1.x%2Fjava%2Forg%2Fapache%2Ftomcat%2Futil%2Fhttp%2Ffileupload%2Fdisk%2FDiskFileItem.java > > > > Are the 10.x and 11.x streams vulnerable to CVE-2023-42794? > > Are those versions listed as vulnerable in the announcement for that CVE > published by the Tomcat project? > > Mark > > > > > > Thanks, > > > > > > *Donal Anglin* > > > > -- > > This message contains proprietary information from Equifax which may be > > confidential. If you are not an intended recipient, please refrain from > > any > > disclosure, copying, distribution or use of this information and note > > that > > such actions are prohibited. If you have received this transmission in > > error, please notify by e-mail postmas...@equifax.com > > <mailto:postmas...@equifax.com>. Equifax® is a registered trademark of > > Equifax Inc. All rights reserved. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmas...@equifax.com <mailto:postmas...@equifax.com>. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
