17 Oct 2023 18:51:06 Donal Anglin <donal.ang...@equifax.com.INVALID>:
No, only 8.x and 9.x.
The question was retorical. I wrote the official announcement.
I assume that Sonatype has done some investigation though.
Do you have any additional context I can share with them to inform
their
decision?
The onus is on Sonatype to demonstrate that the vulnerability is present
in one or more Tomcat versions not listed in the official CVE
announcement.
I'll note that Sonatype have NOT followed the rules of responsible
disclosure as they have NOT contacted the Tomcat security team of their
finding.
Mark
*Donal Anglin*
On Tue, Oct 17, 2023 at 6:23 PM Mark Thomas <ma...@apache.org> wrote:
17 Oct 2023 16:51:38 Donal Anglin <donal.ang...@equifax.com.INVALID>:
Hey all,
Sonatype are of the opinion that CVE-2023-42794 is also applicable to
the
10.x and 11.x streams of Tomcat and issued the notice:
The Sonatype Security Research team discovered that this
vulnerability
is
also present and remains unfixed in the 10.x and 11.x branches of
Apache
Tomcat.
I assume they are basing that on the 10.1.x branch missing this
commit:
https://protect2.fireeye.com/v1/url?k=31323334-501d2dca-313219e2-454455534531-9e00ea7318970d9b&q=1&e=cff597e0-4029-499f-9554-5de1a3f6fa96&u=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommit%2F43b882b8a577684498ab9b8851aa0427216784f7
https://protect2.fireeye.com/v1/url?k=31323334-501d2dca-313219e2-454455534531-f714d7f03a3fde4c&q=1&e=cff597e0-4029-499f-9554-5de1a3f6fa96&u=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommits%2F10.1.x%2Fjava%2Forg%2Fapache%2Ftomcat%2Futil%2Fhttp%2Ffileupload%2Fdisk%2FDiskFileItem.java
Are the 10.x and 11.x streams vulnerable to CVE-2023-42794?
Are those versions listed as vulnerable in the announcement for that
CVE
published by the Tomcat project?
Mark
Thanks,
*Donal Anglin*
--
This message contains proprietary information from Equifax which may
be
confidential. If you are not an intended recipient, please refrain
from
any
disclosure, copying, distribution or use of this information and note
that
such actions are prohibited. If you have received this transmission
in
error, please notify by e-mail postmas...@equifax.com
<mailto:postmas...@equifax.com>. Equifax® is a registered trademark
of
Equifax Inc. All rights reserved.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
This message contains proprietary information from Equifax which may be
confidential. If you are not an intended recipient, please refrain from
any
disclosure, copying, distribution or use of this information and note
that
such actions are prohibited. If you have received this transmission in
error, please notify by e-mail postmas...@equifax.com
<mailto:postmas...@equifax.com>. Equifax® is a registered trademark of
Equifax Inc. All rights reserved.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org