On 5/25/2016 11:12 AM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 5/24/16 10:06 AM, Mark Thomas wrote:
TL;DR If you use remote JMX, you need to update your JVM to address
CVE-2016-3427
For the longer version, see the blog post I just published on
this: http://engineering.pivotal.io/post/java-deserialization-jmx/
Okay, I give up: what version of Java 8 actually has this patch?
Oracle's site gives me the runaround and tells me that it's been patched
in April, but I have no idea what version of Java was published in
April, and Oracle's site seems very reticent to tell me :(
The CVEs have virtuall no information other than "something bad exists
in some versions of some stuff, and you should upgrade". Upgrade to what
?
Wouldn't it just be the latest?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
