Author: markt
Date: Wed Oct 29 11:33:27 2025
New Revision: 1929402
Log:
Add info that affected version info for EOL versions MIGHT be provided in the
CVE record
Modified:
tomcat/site/trunk/docs/security-3.html
tomcat/site/trunk/docs/security-4.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/xdocs/security-3.xml
tomcat/site/trunk/xdocs/security-4.xml
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
Modified: tomcat/site/trunk/docs/security-3.html
==============================================================================
--- tomcat/site/trunk/docs/security-3.html Wed Oct 29 10:14:57 2025
(r1929401)
+++ tomcat/site/trunk/docs/security-3.html Wed Oct 29 11:33:27 2025
(r1929402)
@@ -12,6 +12,15 @@
vulnerabilities in the 3.x branches will not be fixed. Users should
upgrade
to 9.0.x or later to obtain security fixes.</strong></p>
+ <p>The published CVE records for vulnerabilities reported from 2023 onwards
+ include affected version information for EOL versions. By default, the
+ status for EOL versions is reported as unknown. <strong>Where additional
+ information is available, the published CVE record may be updated to
+ indicate whether an EOL version is affected / not-affected. Only the
+ published CVE record will be updated. This page will NOT be updated if
+ the status of an EOL version is updated. No email announcement will be
+ made if if the status of an EOL version is updated.</strong></p>
+
<p>Please send comments or corrections for these vulnerabilities to the
<a href="security.html">Tomcat Security Team</a>.</p>
Modified: tomcat/site/trunk/docs/security-4.html
==============================================================================
--- tomcat/site/trunk/docs/security-4.html Wed Oct 29 10:14:57 2025
(r1929401)
+++ tomcat/site/trunk/docs/security-4.html Wed Oct 29 11:33:27 2025
(r1929402)
@@ -17,6 +17,15 @@
fixed. Users should upgrade to 9.0.x or later to obtain security fixes.
</strong></p>
+ <p>The published CVE records for vulnerabilities reported from 2023 onwards
+ include affected version information for EOL versions. By default, the
+ status for EOL versions is reported as unknown. <strong>Where additional
+ information is available, the published CVE record may be updated to
+ indicate whether an EOL version is affected / not-affected. Only the
+ published CVE record will be updated. This page will NOT be updated if
+ the status of an EOL version is updated. No email announcement will be
+ made if if the status of an EOL version is updated.</strong></p>
+
<p>Please send comments or corrections for these vulnerabilities to the
<a href="security.html">Tomcat Security Team</a>.</p>
Modified: tomcat/site/trunk/docs/security-6.html
==============================================================================
--- tomcat/site/trunk/docs/security-6.html Wed Oct 29 10:14:57 2025
(r1929401)
+++ tomcat/site/trunk/docs/security-6.html Wed Oct 29 11:33:27 2025
(r1929402)
@@ -17,6 +17,15 @@
Further vulnerabilities in the 6.0.x branch will not be fixed. Users
should upgrade to 9.0.x or later to obtain security fixes.</strong></p>
+ <p>The published CVE records for vulnerabilities reported from 2023 onwards
+ include affected version information for EOL versions. By default, the
+ status for EOL versions is reported as unknown. <strong>Where additional
+ information is available, the published CVE record may be updated to
+ indicate whether an EOL version is affected / not-affected. Only the
+ published CVE record will be updated. This page will NOT be updated if
+ the status of an EOL version is updated. No email announcement will be
+ made if if the status of an EOL version is updated.</strong></p>
+
<p>Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 6.0 those are
Modified: tomcat/site/trunk/docs/security-7.html
==============================================================================
--- tomcat/site/trunk/docs/security-7.html Wed Oct 29 10:14:57 2025
(r1929401)
+++ tomcat/site/trunk/docs/security-7.html Wed Oct 29 11:33:27 2025
(r1929402)
@@ -17,6 +17,15 @@
Further vulnerabilities in the 7.0.x branch will not be fixed. Users
should upgrade to 9.0.x or later to obtain security fixes.</strong></p>
+ <p>The published CVE records for vulnerabilities reported from 2023 onwards
+ include affected version information for EOL versions. By default, the
+ status for EOL versions is reported as unknown. <strong>Where additional
+ information is available, the published CVE record may be updated to
+ indicate whether an EOL version is affected / not-affected. Only the
+ published CVE record will be updated. This page will NOT be updated if
+ the status of an EOL version is updated. No email announcement will be
+ made if if the status of an EOL version is updated.</strong></p>
+
<p>Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 7.0 those are
Modified: tomcat/site/trunk/docs/security-8.html
==============================================================================
--- tomcat/site/trunk/docs/security-8.html Wed Oct 29 10:14:57 2025
(r1929401)
+++ tomcat/site/trunk/docs/security-8.html Wed Oct 29 11:33:27 2025
(r1929402)
@@ -20,10 +20,19 @@
<p><strong>Please note that Tomcat 8.5.x has reached
<a href="tomcat-85-eol.html">end of life</a> and is no longer supported.
- Vulnerabilities reported after 31 March 2024 were not checked against
the
- 8.5.x branch and will not be fixed. Users should upgrade to 9.0.x or
+ Vulnerabilities reported after 31 March 2024 are not listed below and
+ will not be fixed. Users should upgrade to 9.0.x or
later to obtain security fixes.</strong></p>
+ <p>The published CVE records for vulnerabilities reported from 2023 onwards
+ include affected version information for EOL versions. By default, the
+ status for EOL versions is reported as unknown. <strong>Where additional
+ information is available, the published CVE record may be updated to
+ indicate whether an EOL version is affected / not-affected. Only the
+ published CVE record will be updated. This page will NOT be updated if
+ the status of an EOL version is updated. No email announcement will be
+ made if if the status of an EOL version is updated.</strong></p>
+
<p>Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 8.5 those are
Modified: tomcat/site/trunk/xdocs/security-3.xml
==============================================================================
--- tomcat/site/trunk/xdocs/security-3.xml Wed Oct 29 10:14:57 2025
(r1929401)
+++ tomcat/site/trunk/xdocs/security-3.xml Wed Oct 29 11:33:27 2025
(r1929402)
@@ -21,6 +21,15 @@
vulnerabilities in the 3.x branches will not be fixed. Users should
upgrade
to 9.0.x or later to obtain security fixes.</strong></p>
+ <p>The published CVE records for vulnerabilities reported from 2023 onwards
+ include affected version information for EOL versions. By default, the
+ status for EOL versions is reported as unknown. <strong>Where additional
+ information is available, the published CVE record may be updated to
+ indicate whether an EOL version is affected / not-affected. Only the
+ published CVE record will be updated. This page will NOT be updated if
+ the status of an EOL version is updated. No email announcement will be
+ made if if the status of an EOL version is updated.</strong></p>
+
<p>Please send comments or corrections for these vulnerabilities to the
<a href="security.html">Tomcat Security Team</a>.</p>
Modified: tomcat/site/trunk/xdocs/security-4.xml
==============================================================================
--- tomcat/site/trunk/xdocs/security-4.xml Wed Oct 29 10:14:57 2025
(r1929401)
+++ tomcat/site/trunk/xdocs/security-4.xml Wed Oct 29 11:33:27 2025
(r1929402)
@@ -26,6 +26,15 @@
fixed. Users should upgrade to 9.0.x or later to obtain security fixes.
</strong></p>
+ <p>The published CVE records for vulnerabilities reported from 2023 onwards
+ include affected version information for EOL versions. By default, the
+ status for EOL versions is reported as unknown. <strong>Where additional
+ information is available, the published CVE record may be updated to
+ indicate whether an EOL version is affected / not-affected. Only the
+ published CVE record will be updated. This page will NOT be updated if
+ the status of an EOL version is updated. No email announcement will be
+ made if if the status of an EOL version is updated.</strong></p>
+
<p>Please send comments or corrections for these vulnerabilities to the
<a href="security.html">Tomcat Security Team</a>.</p>
Modified: tomcat/site/trunk/xdocs/security-6.xml
==============================================================================
--- tomcat/site/trunk/xdocs/security-6.xml Wed Oct 29 10:14:57 2025
(r1929401)
+++ tomcat/site/trunk/xdocs/security-6.xml Wed Oct 29 11:33:27 2025
(r1929402)
@@ -26,6 +26,15 @@
Further vulnerabilities in the 6.0.x branch will not be fixed. Users
should upgrade to 9.0.x or later to obtain security fixes.</strong></p>
+ <p>The published CVE records for vulnerabilities reported from 2023 onwards
+ include affected version information for EOL versions. By default, the
+ status for EOL versions is reported as unknown. <strong>Where additional
+ information is available, the published CVE record may be updated to
+ indicate whether an EOL version is affected / not-affected. Only the
+ published CVE record will be updated. This page will NOT be updated if
+ the status of an EOL version is updated. No email announcement will be
+ made if if the status of an EOL version is updated.</strong></p>
+
<p>Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 6.0 those are
Modified: tomcat/site/trunk/xdocs/security-7.xml
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml Wed Oct 29 10:14:57 2025
(r1929401)
+++ tomcat/site/trunk/xdocs/security-7.xml Wed Oct 29 11:33:27 2025
(r1929402)
@@ -26,6 +26,15 @@
Further vulnerabilities in the 7.0.x branch will not be fixed. Users
should upgrade to 9.0.x or later to obtain security fixes.</strong></p>
+ <p>The published CVE records for vulnerabilities reported from 2023 onwards
+ include affected version information for EOL versions. By default, the
+ status for EOL versions is reported as unknown. <strong>Where additional
+ information is available, the published CVE record may be updated to
+ indicate whether an EOL version is affected / not-affected. Only the
+ published CVE record will be updated. This page will NOT be updated if
+ the status of an EOL version is updated. No email announcement will be
+ made if if the status of an EOL version is updated.</strong></p>
+
<p>Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 7.0 those are
Modified: tomcat/site/trunk/xdocs/security-8.xml
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml Wed Oct 29 10:14:57 2025
(r1929401)
+++ tomcat/site/trunk/xdocs/security-8.xml Wed Oct 29 11:33:27 2025
(r1929402)
@@ -29,10 +29,19 @@
<p><strong>Please note that Tomcat 8.5.x has reached
<a href="tomcat-85-eol.html">end of life</a> and is no longer supported.
- Vulnerabilities reported after 31 March 2024 were not checked against
the
- 8.5.x branch and will not be fixed. Users should upgrade to 9.0.x or
+ Vulnerabilities reported after 31 March 2024 are not listed below and
+ will not be fixed. Users should upgrade to 9.0.x or
later to obtain security fixes.</strong></p>
+ <p>The published CVE records for vulnerabilities reported from 2023 onwards
+ include affected version information for EOL versions. By default, the
+ status for EOL versions is reported as unknown. <strong>Where additional
+ information is available, the published CVE record may be updated to
+ indicate whether an EOL version is affected / not-affected. Only the
+ published CVE record will be updated. This page will NOT be updated if
+ the status of an EOL version is updated. No email announcement will be
+ made if if the status of an EOL version is updated.</strong></p>
+
<p>Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 8.5 those are
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
