Le 7/12/2016 à 20:16, Arne Nordmark a écrit :
> OK. I first built 7.0.56-3+deb8u5 as distributed, installed, and
> verified that your example works but not my webapp. Then I added the
> loop to validateGlobalResourceAccess() (patch attached), reinstalled
> libtomcat7-java, restarted tomcat7, and
Den 2016-12-07 kl. 17:35, skrev Emmanuel Bourg:
> Le 7/12/2016 à 13:28, Arne Nordmark a écrit :
>
> Thanks for the info. I'm trying to reproduce the same error but I
> haven't succeeded so far. Here is was I did:
>
...
> 9. Create a test page /var/lib/tomcat7/webapps/ROOT/test.jsp with:
>
>
Le 7/12/2016 à 13:28, Arne Nordmark a écrit :
> I have put a symlink in /var/lib/tomcat7/common, so that would be loaded
> by the "Common" class loader.
>
> The default Debian configuration in /etc/tomcat7/catalina.properties
> seem to be slightly broken here, so in the "common.loader" I had to
Den 2016-12-07 kl. 11:38, skrev Emmanuel Bourg:
Hi Arne,
Were is located the jar of your JDBC driver?
I have put a symlink in /var/lib/tomcat7/common, so that would be loaded
by the "Common" class loader.
The default Debian configuration in /etc/tomcat7/catalina.properties
seem to be
Hi Arne,
Were is located the jar of your JDBC driver?
> I can build and run Debian tomcat7 on both wheezy and jessie, so if you
> would like me to make any further tests, please let me know.
Would you be able to try again with the missing loop?
Emmanuel Bourg
On 04.12.2016 15:39, Arne Nordmark wrote:
> Den 2016-12-04 kl. 15:00, skrev Markus Koschany:
>> On 04.12.2016 09:22, Arne Nordmark wrote:
>>> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
>>> also suffers from this problem.
>>>
>>> Can it be so that the important part
Den 2016-12-04 kl. 15:00, skrev Markus Koschany:
> On 04.12.2016 09:22, Arne Nordmark wrote:
>> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
>> also suffers from this problem.
>>
>> Can it be so that the important part missing is the loop traversing the
>> class loaders
On 04.12.2016 09:22, Arne Nordmark wrote:
> Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
> also suffers from this problem.
>
> Can it be so that the important part missing is the loop traversing the
> class loaders in validateGlobalResourceAccess():
>
> while (cl !=
Unfortunately, the newly released wheezy security update 7.0.28-4+deb7u7
also suffers from this problem.
Can it be so that the important part missing is the loop traversing the
class loaders in validateGlobalResourceAccess():
while (cl != null) {
...
cl = cl.getParent();
}
Arne
Den 2016-11-23 kl. 17:52, skrev Emmanuel Bourg:
> Would you be able to rebuild with this version of the
> ResourceLinkFactory class and see if it works better?
>
> https://raw.githubusercontent.com/apache/tomcat70/TOMCAT_7_0_73/java/org/apache/naming/factory/ResourceLinkFactory.java
>
Indeed,
Den 2016-11-23 kl. 17:52, skrev Emmanuel Bourg:
>
> Would you be able to rebuild with this version of the
> ResourceLinkFactory class and see if it works better?
>
> https://raw.githubusercontent.com/apache/tomcat70/TOMCAT_7_0_73/java/org/apache/naming/factory/ResourceLinkFactory.java
>
I take
Le 23/11/2016 à 17:06, Arne Nordmark a écrit :
> Yet another data point:
>
> I rebuilt 7.0.56-3+deb8u5 with CVE-2016-6797.patch deleted, and again
> the problem goes away.
Would you be able to rebuild with this version of the
ResourceLinkFactory class and see if it works better?
Yet another data point:
I rebuilt 7.0.56-3+deb8u5 with CVE-2016-6797.patch deleted, and again
the problem goes away.
Arne
Den 2016-11-23 kl. 14:09, skrev Emmanuel Bourg:
> Did you enable the security manager?
I have not changed that part of /etc/default/tomcat7, so it still reads
#TOMCAT7_SECURITY=no
which should imply that the security manager is not enabled.
Arne
Le 23/11/2016 à 12:54, Arne Nordmark a écrit :
> Thanks for the quick reply.
>
> No, with version 7.0.73-1~bpo8+1 I do not have this problem. I guess
> this indicates a problem with backporting the patch to 7.0.56.
Did you enable the security manager?
Den 2016-11-23 kl. 12:36, skrev Emmanuel Bourg:
> Hi Arne,
>
> Thank you for reporting this issue. Could you check if it also occurs
> with the tomcat7 package from jessie-backports please?
Thanks for the quick reply.
No, with version 7.0.73-1~bpo8+1 I do not have this problem. I guess
this
Hi Arne,
Thank you for reporting this issue. Could you check if it also occurs
with the tomcat7 package from jessie-backports please?
Emmanuel Bourg
Package: tomcat7
Version: 7.0.56-3+deb8u5
Severity: normal
After the security update 7.0.56-3+deb8u5, I get an error message:
ALLVARLIG: Servlet.service() for servlet [Faces Servlet] in context with
path [/mech] threw exception [Filter execution threw an exception] with
root cause
18 matches
Mail list logo
