I've been reviewing the release logs on the security fixes going into tomcat (https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40) , and I would like to ask if you could clarify a couple of things for me please:
1) 8.0.41 release date: 8.0.40 seems to have been indefinitely shelved but it contains the fix for CVE-2016-8745<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745>. The change log says 'release in progress', but what is the time expected for the release to be completed --- days or weeks? 2) CVE-2016-8735<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735> bug fix id: The change log for 8.0.39 says that CVE-2016-8735<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735> was fixed in 1767656<http://svn.apache.org/viewvc?view=rev&rev=1767656> but that points directly to the code change. I couldn't find any bugfix specifically for that issue so I'm guessing it was code only change? 3) Reserved CVEs updated in NVD A number of the more recent CVEs are still in the reserved state in NVD. Are there plans to update NVD with the details? When NVD gets updated, all the world's scanners start processing it and flagging the software for the fixes. Thank you, Nikola
