On 25/03/2010 16:35, Naaliel Mendes wrote: > Dear Tomcat users, > > I am trying to characterize the way vulnerabilities are corrected and I have > used the vulnerability reports of the Apache Tomcat in my research work. > > Currently I am facing difficulties to find out how some of the reported > vulnerabilities were corrected, especially when there is no revision ID > associated to a vulnerability report. Some of the e-mail I found at > jakarta.tomcat.devel mailing list have guided me (for instance, > http://article.gmane.org/gmane.comp.jakarta.tomcat.devel/79600/match=2007+5333), > but even so I am not finding the files that were changed to correct certain > vulnerabilities (examples: CVE-2008-0002, CVE-2007-3382, CVE-2007-1355). > Could anyone please give me some advice on how to find these files (if they > are available)?
All of the source code - including all the changes is in SVN. Matching svn rev to CVE is on the todo list. > I am aware that in some cases instead of changing files > developers provide a security recommendation. I am using diff tools to > compare the fixed and affected version to find out the files that were > changed for correct a vulnerability, but I am wondering whether there is a > easier method to do this. The CVEs normally appear in the chaneglog but without the CVE and a sometimes oblique descrioption. If you can match a CVE to a change log entry it is then easy to use svn to match it up to the code changes. I'd suggest taking a stab at matching up CVEs and changelog entries and finding the associated svn revisions. If you pick some more of the mroe recent ones, I should be able to confirm if they are correct or not. And I can then get the security pages and svn log updated. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org