[
https://issues.apache.org/jira/browse/OFBIZ-6752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15038441#comment-15038441 ]
Jacques Le Roux commented on OFBIZ-6752:
----------------------------------------
While checking with ["OWASP Dependency Check"|
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61331040] it reported 3 possible vulnerabilities with using Tomcat 7.0.65. Actually none of CVE-2009-2696, CVE-2007-5461 and CVE-2002-0493 concern our usage of Tomcat. So we were safe from them with Tomcat to 7.0.64 and are safe with Tomcat to 7.0.65. I even believe Tomcat 7.0.64 was safe from CVE-2013-2185, but as I said this is disputed and not clear so I preferred updating. See my message in dev ML about upgrading to Tomcat 8...
http://markmail.org/message/tgdzfcpjhkcmig7d ...
> Updates Tomcat to 7.0.65
> ------------------------
>
> Key: OFBIZ-6752
> URL:
https://issues.apache.org/jira/browse/OFBIZ-6752> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 14.12.01, 13.07.03, Upcoming Branch
>
>
> Though disputed CVE-2013-2185 indicates a possible vulnerabilty with jasper.jar. Better safe than sorry: I will backport to all concerned branches (R14 and R13)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
