-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nic,
On 8/13/20 15:52, Nic P wrote: > Hi > > Can anyone help me understand why some CVE's show in the changelog > but not on the security report? > > Example is CVE-2016-5388 which shows as fixed in 8.0.37 changelog > but missing on the security report. > > This has come up in a audit and hard to explain which is the System > of Record information for security fixes. > > https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5 _and_8.0.37 > > https://tomcat.apache.org/tomcat-8.0-doc/changelog.html This just looks like an oversight to me. The changelog and security reports are usually updated retrospectively after the release has been out for a bit so there are no "surprises". It looks like this item didn't get put into both reports. Do you have any other instances of this kind of thing? Thanks, - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl81ux8ACgkQHPApP6U8 pFg9fBAAgsb2zRMVzAJH7bJUWykdzZUMMc1IVCLECCP5DY1id/8v8nXQHlMs+pAs Kz+mZahDfGSH1m0saCJsRPtMhyNMVE72jiZ37q48+a5GJXfsHyQUHt/TkCmne4Ql UsQWJddb/zBkhtsqwEL9POa0gF8cx+Y1U5liBUvIXlYLV5g7y7RBCz4iJFH8MtBn fB5q8wiyft+I1s2+8KcLrgj21xap2mTBAl3c+DlKcGh5pJbn68K+ABHwZPOSPWhs pNXrsmG/CYtR3QPQOhwSMHAG1NP85dHIJe3CclRlXp9AGtTqFsBRlsDcV/QKrbiz JEIxkOjLfgu3PQUpwung5Ql8yL+BPmynEaJBqTRr0HBUCC6I2oyPQZ9Ik/DvSxTt QHBY90GYoTBR5U1RRIzizmu4FOy1lQIeTsUwBq4HfYu1hPtEhfUB/WlCDgRSOsxQ LzE3ER0/CSVO4VlRoqp8CBwCWzn2LT91LRWmP6jFgKx+Typ5CgnVmLOSoWgrnx93 o6wQxRpE2gyUkiLjqyXo6IKnqTPOz9WZJW30jDPbiVYIsqMV61SQhzUD5OxK1ZC7 bFyfm3BcdihIafzygGzlIIfDpAuGsC3XpOM1C7UnYcNFox5oidgITiw7bSqVqalu y4sOw3dV9PJpAgad4xaxV2sCSrJnUhptmCmyIngnWdqR0a6UD1Q= =eo27 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
