You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2021/08/11 11:39:18 UTC

[GitHub] [tomcat-jakartaee-migration] abdulmuqsith opened a new issue #23: Vulnerability with Apache Commons Compress v1.20

abdulmuqsith opened a new issue #23:
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23


   The Apache Commons Compress v1.20 library included in this library has following CVEs associated:
   
   <html>
   <body>
   <!--StartFragment-->
   
     | Identifier | Published | Overall Score
   -- | -- | -- | --
     | NVD CVE-2021-35516 (BDSA-2021-2075) | Jul 13, 2021 | 7.5 High
     | NVD CVE-2021-35517 (BDSA-2021-2078) | Jul 13, 2021 | 7.5 High
     | NVD CVE-2021-36090 (BDSA-2021-2073) | Jul 13, 2021 | 7.5 High
     | NVD CVE-2021-35515 (BDSA-2021-2076) | Jul 13, 2021 | 7.5 High
   
   <br class="Apple-interchange-newline"><!--EndFragment-->
   </body>
   </html>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] abdulmuqsith commented on issue #23: Vulnerability with Apache Commons Compress v1.20

Posted by GitBox <gi...@apache.org>.

abdulmuqsith commented on issue #23:
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897316898


   Vulnerability scanning tools are reporting Tomcat as vulnerable even though this CVE is very unlikely to be exploited. Any plans to upgrade Commons Compress?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] markt-asf commented on issue #23: Vulnerability with Apache Commons Compress v1.20

Posted by GitBox <gi...@apache.org>.

markt-asf commented on issue #23:
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897054343


   Relevant how? How does an attacker exploit this?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #23: Vulnerability with Apache Commons Compress v1.20

Posted by GitBox <gi...@apache.org>.

ebourg commented on issue #23:
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897111748


   Very vaguely relevant, the tool would have to be used on an untrusted war, but that's not really the use case intended.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #23: Vulnerability with Apache Commons Compress v1.20

Posted by GitBox <gi...@apache.org>.

ebourg commented on issue #23:
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897000783


   Only CVE-2021-36090 is relevant here, we only use the zip archive implementation of Commons Compress.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] abdulmuqsith commented on issue #23: Vulnerability with Apache Commons Compress v1.20

Posted by GitBox <gi...@apache.org>.

abdulmuqsith commented on issue #23:
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897404156


   Thank you


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] markt-asf closed issue #23: Vulnerability with Apache Commons Compress v1.20

Posted by GitBox <gi...@apache.org>.

markt-asf closed issue #23:
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] markt-asf commented on issue #23: Vulnerability with Apache Commons Compress v1.20

Posted by GitBox <gi...@apache.org>.

markt-asf commented on issue #23:
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897403716


   No plans to update.
   Automated scanning tools (including those that look at dependencies without considering the context in which it is used) generate a large number of false positive vulnerability reports. The default position of the ASF is to reject all such reports unless accompanied by an explanation, PoC or similar that demonstrates a genuinely exploitable issue.
   We usually (but not always) look at dependencies and update them as part of release preparation.
   There are currently no plans for the next release.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org