Bug#911709: tomcat7: Security update broke apps with AccessControlException for org.apache.tomcat.util.http
Markus Koschany
apo at debian.org
Tue Oct 23 21:18:59 BST 2018
Hello,
Am 23.10.18 um 21:20 schrieb Anthony DeRobertis:
> Package: tomcat7
> Version: 7.0.56-3+really7.0.91-1
> Severity: important
>
> After applying the recent security update, the web app we're running
> (which is unfortunately a proprietary product provided by a vendor) no
> longer works. Instead, I get an exception and a blank page.
> Interestingly, in /etc/tomcat7/policy.d/40_«redacted».policy, there is a
> grant:
>
> grant codeBase "file:/srv/hm/HPM54/WebApp-«Redacted»/-" {
> ⋮
> permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
> }
>
> ... adding another grant for accessClassInPackage.org.apache.tomcat.util.http
> seems to get it working again, but that's not something you'd expect without
> warning from a security update.
We follow upstream releases of Tomcat 7 closely. Unfortunately I can't
tell why your webapp needs those permissions without having a look at
the source code. It is quite possible that your previous security
permissions were insufficient and just worked because of a bug in Tomcat
7 that got fixed alongside the last security update. I recommend to file
an upstream bug report instead because Debian ships the latest upstream
release without making any behavioral changes. [1] The upstream
developers will more likely be able to track this issue down.
Regards,
Markus
[1] https://tomcat.apache.org/bugreport.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20181023/b546da55/attachment.sig>
More information about the pkg-java-maintainers
mailing list