On 23/01/2017 20:18, Nikola Vouk wrote: > I've been reviewing the release logs on the security fixes going into > tomcat > (https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40) , > and I would like to ask if you could clarify a couple of things for me please: > > > 1) 8.0.41 release date: > 8.0.40 seems to have been indefinitely shelved but it contains the fix for > CVE-2016-8745<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745>. > The change log says 'release in progress', but what is the time expected for > the release to be completed --- days or weeks?
The release vote takes place on the dev list. You can following along there. The release looks to be imminent (assuming no regression is found). > 2) > CVE-2016-8735<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735> > bug fix id: > The change log for 8.0.39 says that > CVE-2016-8735<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735> > was fixed in 1767656<http://svn.apache.org/viewvc?view=rev&rev=1767656> but > that points directly to the code change. I couldn't find any bugfix > specifically for that issue so I'm guessing it was code only change? Not every change has an associated Bugzilla entry. > 3) Reserved CVEs updated in NVD > A number of the more recent CVEs are still in the reserved state in NVD. Are > there plans to update NVD with the details? When NVD gets updated, all the > world's scanners start processing it and flagging the software for the fixes. That is fairly typical for Mitre. There is a new(ish) web form that can be used to provide updates if Mitre miss them. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
