Dear Tomcat users, I am trying to characterize the way vulnerabilities are corrected and I have used the vulnerability reports of the Apache Tomcat in my research work.
Currently I am facing difficulties to find out how some of the reported vulnerabilities were corrected, especially when there is no revision ID associated to a vulnerability report. Some of the e-mail I found at jakarta.tomcat.devel mailing list have guided me (for instance, http://article.gmane.org/gmane.comp.jakarta.tomcat.devel/79600/match=2007+5333), but even so I am not finding the files that were changed to correct certain vulnerabilities (examples: CVE-2008-0002, CVE-2007-3382, CVE-2007-1355). Could anyone please give me some advice on how to find these files (if they are available)? I am aware that in some cases instead of changing files developers provide a security recommendation. I am using diff tools to compare the fixed and affected version to find out the files that were changed for correct a vulnerability, but I am wondering whether there is a easier method to do this. Many Thanks! N. Mendes
