Sam Morris via FreeIPA-users wrote: > On Mon, 2023-10-30 at 22:35 +0000, Marcelo Carvalho via FreeIPA-users > wrote: >> Hi Rob >> >> Thanks for helping out here. I was pulled sideways and I am >> returning to this issue now. I am sorry. >> >> Vulnerability showing is "Apache Tomcat 9.0.0-M1 < 9.0.68 Request >> Smuggling Vulnerability" > > If this scanner gives you a CVE reference then look it up at > https://access.redhat.com/security/cve/ > > If the vulnerability has been fixed in a backport, or if the scanner > doesn't give you a CVE reference, then that is evidence that the > scanner is garbage.
That's a bit blunter than I'd have been :-). But yes, some security scanners seem to compare only version numbers and don't seem to understand the way RHEL handles backports. See https://access.redhat.com/security/updates/backporting/ Tomcat is (should) not be exposed beyond IPA servers so remote users should not be able to make direct requests. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
