17 Oct 2023 16:51:38 Donal Anglin <donal.ang...@equifax.com.INVALID>:
Hey all,
Sonatype are of the opinion that CVE-2023-42794 is also applicable to
the
10.x and 11.x streams of Tomcat and issued the notice:
The Sonatype Security Research team discovered that this vulnerability
is
also present and remains unfixed in the 10.x and 11.x branches of
Apache
Tomcat.
I assume they are basing that on the 10.1.x branch missing this commit:
https://github.com/apache/tomcat/commit/43b882b8a577684498ab9b8851aa0427216784f7
https://github.com/apache/tomcat/commits/10.1.x/java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java
Are the 10.x and 11.x streams vulnerable to CVE-2023-42794?
Are those versions listed as vulnerable in the announcement for that CVE
published by the Tomcat project?
Mark
Thanks,
*Donal Anglin*
--
This message contains proprietary information from Equifax which may be
confidential. If you are not an intended recipient, please refrain from
any
disclosure, copying, distribution or use of this information and note
that
such actions are prohibited. If you have received this transmission in
error, please notify by e-mail postmas...@equifax.com
<mailto:postmas...@equifax.com>. Equifax® is a registered trademark of
Equifax Inc. All rights reserved.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
