Hi Karten, Thank you for the report.
It looks like the patch for CVE-2016-6816 applied in 7.0.28-4+deb7u7 is incomplete. The patch removes the AstAttribute class but SecurityClassLoad still attempts to load it (along with other classes in the same package, also removed). This issue is specific to the version of tomcat7 in Wheezy, in Jessie the AstAttribute class no longer exists. Emmanuel Bourg __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.