Le 7/12/2016 à 20:16, Arne Nordmark a écrit : > OK. I first built 7.0.56-3+deb8u5 as distributed, installed, and > verified that your example works but not my webapp. Then I added the > loop to validateGlobalResourceAccess() (patch attached), reinstalled > libtomcat7-java, restarted tomcat7, and verified that both webapps now work. > > Thanks for your patience,
Thanks a lot for the tests Arne. We are basically missing the commit 1763236 [1] that added the recursion through the classloader hierarchy. This commit wasn't documented as related to CVE-2016-6797. I'll add it in the next update. The tomcat8 package is also affected. Emmanuel Bourg [1] https://svn.apache.org/r1763236 __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.