You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2021/08/23 19:56:58 UTC

[Bug 65517] New: upgrade to axis2-adb 1.8.0 to address CVE-2020-0822

https://bz.apache.org/bugzilla/show_bug.cgi?id=65517

            Bug ID: 65517
           Summary: upgrade to axis2-adb 1.8.0 to address CVE-2020-0822
           Product: Tomcat 9
           Version: 9.0.52
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Packaging
          Assignee: dev@tomcat.apache.org
          Reporter: jeehongm@parasoft.com
  Target Milestone: -----

See https://nvd.nist.gov/vuln/detail/CVE-2020-0822 for more info.

Tomcat 9.0.52 ships with version 1.7.9.  Version 1.8.0 is available which
addresses this CVE.

See
https://lists.apache.org/thread.html/r258f18d563859c0ef9584fd7341426bd14f5042bdf7e7bc396d91272@%3Cjava-dev.axis.apache.org%3E
which shows axis2 team addressing this CVE in version 1.8.0

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65517] upgrade to axis2-adb 1.8.0 to address CVE-2020-0822

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65517

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65517] upgrade to axis2-adb 1.8.0 to address CVE-2020-0822

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65517

--- Comment #4 from Mikko Suonio <mi...@gmail.com> ---
I would like Tomcat developers to state clearly that this is not a valid
vulnerability. This would make it easier for Tomcat users to dismiss the issue
detected by vulnerability analysis of their software.

Also, it would be excellent, if you could communicate these inaccuracies to
NIST NVD. This might help to correct the CVE description faster and reduce the
impact to Tomcat users. If this is not possible, users could point NIST staff
to the issue description on Tomcat site and forums, if available.

Thank you for the quick response. I do not understand why Tomcat was associated
with this CVE.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65517] upgrade to axis2-adb 1.8.0 to address CVE-2020-0822

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65517

--- Comment #3 from Jeehong Min <je...@parasoft.com> ---
I filed the original bug.  Afterwards, I realized that I made a mistake when I
was tracing dependencies with CVEs.  Tomcat does not have any dependencies on
axis2-adb.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65517] upgrade to axis2-adb 1.8.0 to address CVE-2020-0822

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65517

--- Comment #2 from Mark Thomas <ma...@apache.org> ---
Let me turn that around. What is your basis for claiming that this is a valid
vulnerability in Apache Tomcat?

(Hint: The original description for this contained multiple inaccuracies so
don't take any of that information at face value)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65517] upgrade to axis2-adb 1.8.0 to address CVE-2020-0822

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65517

--- Comment #1 from Mikko Suonio <mi...@gmail.com> ---
Can you comment on why this is invalid? Since this is related to a CVE, the
impact needs to be analyzed in many organizations.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org