[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: [IE] Re: CVE-2023-42794 on 10.1.x
From:       Mark Thomas <markt () apache ! org>
Date:       2023-10-17 18:06:31
Message-ID: be1ffea4-e584-464a-9463-60a3810bea54 () apache ! org
[Download RAW message or body]

17 Oct 2023 18:51:06 Donal Anglin <donal.anglin@equifax.com.INVALID>:

> No, only 8.x and 9.x.

The question was retorical. I wrote the official announcement.

> I assume that Sonatype has done some investigation though.
> Do you have any additional context I can share with them to inform 
> their
> decision?

The onus is on Sonatype to demonstrate that the vulnerability is present 
in one or more Tomcat versions not listed in the official CVE 
announcement.

I'll note that Sonatype have NOT followed the rules of responsible 
disclosure as they have NOT contacted the Tomcat security team of their 
finding.

Mark


> 
> *Donal Anglin*
> 
> On Tue, Oct 17, 2023 at 6:23 PM Mark Thomas <markt@apache.org> wrote:
> 
> > 17 Oct 2023 16:51:38 Donal Anglin <donal.anglin@equifax.com.INVALID>:
> > 
> > > Hey all,
> > > 
> > > Sonatype are of the opinion that CVE-2023-42794 is also applicable to
> > > the
> > > 10.x and 11.x streams of Tomcat and issued the notice:
> > > The Sonatype Security Research team discovered that this 
> > > vulnerability
> > > is
> > > also present and remains unfixed in the 10.x and 11.x branches of
> > > Apache
> > > Tomcat.
> > > 
> > > I assume they are basing that on the 10.1.x branch missing this 
> > > commit:
> > > 
> > > 
> > 
> > https://protect2.fireeye.com/v1/url?k=31323334-501d2dca-313219e2-454455534531-9e00 \
> > ea7318970d9b&q=1&e=cff597e0-4029-499f-9554-5de1a3f6fa96&u=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommit%2F43b882b8a577684498ab9b8851aa0427216784f7
> > 
> > > 
> > > 
> > 
> > https://protect2.fireeye.com/v1/url?k=31323334-501d2dca-313219e2-454455534531-f714 \
> > d7f03a3fde4c&q=1&e=cff597e0-4029-499f-9554-5de1a3f6fa96&u=https%3A%2F%2Fgithub.com \
> > %2Fapache%2Ftomcat%2Fcommits%2F10.1.x%2Fjava%2Forg%2Fapache%2Ftomcat%2Futil%2Fhttp%2Ffileupload%2Fdisk%2FDiskFileItem.java
> > 
> > > 
> > > Are the 10.x and 11.x streams vulnerable to CVE-2023-42794?
> > 
> > Are those versions listed as vulnerable in the announcement for that 
> > CVE
> > published by the Tomcat project?
> > 
> > Mark
> > 
> > 
> > > 
> > > Thanks,
> > > 
> > > 
> > > *Donal Anglin*
> > > 
> > > --
> > > This message contains proprietary information from Equifax which may 
> > > be
> > > confidential. If you are not an intended recipient, please refrain 
> > > from
> > > any
> > > disclosure, copying, distribution or use of this information and note
> > > that
> > > such actions are prohibited. If you have received this transmission 
> > > in
> > > error, please notify by e-mail postmaster@equifax.com
> > > <mailto:postmaster@equifax.com>. Equifax ® is a registered trademark 
> > > of
> > > Equifax Inc. All rights reserved.
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > 
> 
> --
> This message contains proprietary information from Equifax which may be
> confidential. If you are not an intended recipient, please refrain from 
> any
> disclosure, copying, distribution or use of this information and note 
> that
> such actions are prohibited. If you have received this transmission in
> error, please notify by e-mail  postmaster@equifax.com
> <mailto:postmaster@equifax.com>. Equifax ® is a registered trademark of
> Equifax Inc. All rights reserved.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]