You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Nikola Vouk <Ni...@sas.com> on 2017/01/23 20:18:52 UTC

Tomcat 8.0.41 release date and CVE-2016-8735

   I've been reviewing the release logs on the security fixes going into tomcat (https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40) , and I would like to ask if you could clarify a couple of things for me please:


1)      8.0.41 release date:
8.0.40 seems to have been indefinitely shelved but it contains the fix for CVE-2016-8745<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745>. The change log says 'release in progress', but what is the time expected for the release to be completed --- days or weeks?

2)      CVE-2016-8735<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735> bug fix id:
The change log for 8.0.39 says that CVE-2016-8735<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735> was fixed in  1767656<http://svn.apache.org/viewvc?view=rev&rev=1767656> but that points directly to the code change. I couldn't find any bugfix specifically for that issue so I'm guessing it was code only change?

3)      Reserved CVEs updated in NVD
A number of the more recent CVEs are still in the reserved state in NVD. Are there plans to update NVD with the details? When NVD gets updated, all the world's scanners start processing it and flagging the software for the fixes.

Thank you,
Nikola

Re: Tomcat 8.0.41 release date and CVE-2016-8735

Posted by Mark Thomas <ma...@apache.org>.

On 23/01/2017 20:18, Nikola Vouk wrote:
>    I've been reviewing the release logs on the security fixes going into tomcat (https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40) , and I would like to ask if you could clarify a couple of things for me please:
> 
> 
> 1)      8.0.41 release date:
> 8.0.40 seems to have been indefinitely shelved but it contains the fix for CVE-2016-8745<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745>. The change log says 'release in progress', but what is the time expected for the release to be completed --- days or weeks?

The release vote takes place on the dev list. You can following along
there. The release looks to be imminent (assuming no regression is found).

> 2)      CVE-2016-8735<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735> bug fix id:
> The change log for 8.0.39 says that CVE-2016-8735<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735> was fixed in  1767656<http://svn.apache.org/viewvc?view=rev&rev=1767656> but that points directly to the code change. I couldn't find any bugfix specifically for that issue so I'm guessing it was code only change?

Not every change has an associated Bugzilla entry.

> 3)      Reserved CVEs updated in NVD
> A number of the more recent CVEs are still in the reserved state in NVD. Are there plans to update NVD with the details? When NVD gets updated, all the world's scanners start processing it and flagging the software for the fixes.

That is fairly typical for Mitre. There is a new(ish) web form that can
be used to provide updates if Mitre miss them.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org