All,
Over the next few days the Tomcat security team will be updating the
official CVE records for Tomcat CVEs CVE-2022-45143 onwards to
explicitly state (rather than just imply) that "Older, EOL versions may
also be affected."
We will also explicitly add a version range with a start of "3" and an
end of "< 9" marked as unknown to provide the same information to
automated tools.
Once that has complete we will then be working through and validating a
contributed analysis of CVEs published since 8.5.x became EOL and
whether those CVEs impact the 8.5.x branch. As the data for each CVE is
validated, we will be updating the CVE record to include exact affected
version information for 8.5.x.
There may be further updates in the future if the Tomcat security team
receives further contributions that analyse other EOL versions.
The Apache Tomcat Security Team
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
