You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Tim McCune <tm...@yahoo-inc.com> on 2008/08/19 21:31:58 UTC
Can't find reference to vulnerability fixes in change log
Hi. I'm looking at http://tomcat.apache.org/security-6.html,
specifically the 4 vulnerabilities that are "Fixed in Apache Tomcat
6.0.18" and trying to find out which commits actually fixed the
vulnerabilities. I was hoping to be able to check out the change log at
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html but I see no
mention of any of these fixes listed there. I also tried a bugzilla
search for the issues, but "Zarro Boogs found."
Can anyone give me a pointer to where I could find the actual bugzilla
issues for the vulnerability fixes and/or links to the commits for them?
Thanks.
--Tim
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: Can't find reference to vulnerability fixes in change log
Posted by Mark Thomas <ma...@apache.org>.
Tim McCune wrote:
> Hi. I'm looking at http://tomcat.apache.org/security-6.html,
> specifically the 4 vulnerabilities that are "Fixed in Apache Tomcat
> 6.0.18" and trying to find out which commits actually fixed the
> vulnerabilities. I was hoping to be able to check out the change log at
> http://tomcat.apache.org/tomcat-6.0-doc/changelog.html but I see no
> mention of any of these fixes listed there. I also tried a bugzilla
> search for the issues, but "Zarro Boogs found."
>
> Can anyone give me a pointer to where I could find the actual bugzilla
> issues for the vulnerability fixes and/or links to the commits for them?
Adding svn references to the security pages and CVE references to the
commit log is on my todo list .
Because we have to fix this issue in public, the original commit will make
no reference to them.
You also won't find a bugzilla entry for these for the same reason.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org