On Thu, Mar 25, 2010 at 5:11 PM, Mark Thomas <ma...@apache.org> wrote:
> On 25/03/2010 16:35, Naaliel Mendes wrote: > > Dear Tomcat users, > > > > I am trying to characterize the way vulnerabilities are corrected and I > have > > used the vulnerability reports of the Apache Tomcat in my research work. > > > > Currently I am facing difficulties to find out how some of the reported > > vulnerabilities were corrected, especially when there is no revision ID > > associated to a vulnerability report. Some of the e-mail I found at > > jakarta.tomcat.devel mailing list have guided me (for instance, > > > http://article.gmane.org/gmane.comp.jakarta.tomcat.devel/79600/match=2007+5333 > ), > > but even so I am not finding the files that were changed to correct > certain > > vulnerabilities (examples: CVE-2008-0002, CVE-2007-3382, CVE-2007-1355). > > Could anyone please give me some advice on how to find these files (if > they > > are available)? > > All of the source code - including all the changes is in SVN. > > Matching svn rev to CVE is on the todo list. > > > I am aware that in some cases instead of changing files > > developers provide a security recommendation. I am using diff tools to > > compare the fixed and affected version to find out the files that were > > changed for correct a vulnerability, but I am wondering whether there is > a > > easier method to do this. > > The CVEs normally appear in the chaneglog but without the CVE and a > sometimes oblique descrioption. If you can match a CVE to a change log > entry it is then easy to use svn to match it up to the code changes. > > I'd suggest taking a stab at matching up CVEs and changelog entries and > finding the associated svn revisions. If you pick some more of the mroe > recent ones, I should be able to confirm if they are correct or not. And > I can then get the security pages and svn log updated. > > Thank you for your suggestion. I am working on that and, if I succeed, I will send you the results of the mapping between CVEs and changelog and its respective svn revision ID. Should I use this mailing list to keep in touch? > Mark > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
