Mark - per NIST this CVEis listed as impact to tomcat https://nvd.nist.gov/vuln/detail/CVE-2016-5388 which is how we came to find evidence for audit on the version where this was remediated.
On Fri, Aug 14, 2020 at 4:15 AM Mark Thomas <ma...@apache.org> wrote: > On 13/08/2020 20:52, Nic P wrote: > > Hi > > > > Can anyone help me understand why some CVE's show in the changelog but > not > > on the security report? > > > > Example is CVE-2016-5388 which shows as fixed in 8.0.37 changelog but > > missing on the security report. > > > > This has come up in a audit and hard to explain which is the System of > > Record information for security fixes. > > > > > https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37 > > > > https://tomcat.apache.org/tomcat-8.0-doc/changelog.html > > Because CVE-2016-5388 is not an Apache Tomcat vulnerability. The > changelog refers to the mitigation applied to Apache Tomcat to protect > users if they happen to be using vulnerable CGI executables. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
