Bug#849949: version: tomcat7 (7.0.28-4+deb7u8)
Markus Koschany
apo at debian.org
Tue Jan 3 00:20:17 UTC 2017
Control: tags -1 confirmed
On 02.01.2017 18:00, Emmanuel Bourg wrote:
> Hi Karten,
>
> Thank you for the report.
>
> It looks like the patch for CVE-2016-6816 applied in 7.0.28-4+deb7u7 is
> incomplete. The patch removes the AstAttribute class but
> SecurityClassLoad still attempts to load it (along with other classes in
> the same package, also removed).
>
> This issue is specific to the version of tomcat7 in Wheezy, in Jessie
> the AstAttribute class no longer exists.
Hi Karsten,
thanks for the report and thanks to Emmanuel for the analysis.
@Karsten
I have uploaded some new binary packages of Tomcat7 to
https://people.debian.org/~apo/wheezy-lts/tomcat7/
Could you test them on your system and report back if it works for you?
There is also a tomcat7.debdiff which you just need to apply to the
source package, if you want to build everything from source.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20170103/abf46756/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list