Bug#845425: DataSource no longer accessible since jessie security update
Markus Koschany
apo at debian.org
Sun Dec 4 14:00:12 UTC 2016
On 04.12.2016 09:22, Arne Nordmark wrote:
> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
> also suffers from this problem.
>
> Can it be so that the important part missing is the loop traversing the
> class loaders in validateGlobalResourceAccess():
>
> while (cl != null) {
> ...
> cl = cl.getParent();
> }
Hello,
I have prepared the update for Wheezy. Since you confirmed that using the ResourceLinkFactory class
from 7.x trunk works for you, we have replaced the current version with this one. At the moment I
fail to understand what we are missing because upstream's fix for CVE-2016-6797 is relatively
straightforward [1] and we have already taken your bug report into account.
Could you elaborate in which file the code from above is missing?
Thanks,
Markus
[1] https://svn.apache.org/viewvc?view=revision&revision=1757275
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20161204/fa62f5c9/attachment.sig>
More information about the pkg-java-maintainers
mailing list