Hello,
Am 23.10.18 um 21:20 schrieb Anthony DeRobertis:
> Package: tomcat7
> Version: 7.0.56-3+really7.0.91-1
> Severity: important
>
> After applying the recent security update, the web app we're running
> (which is unfortunately a proprietary product provided by a vendor) no
> longer works. Instead, I get an exception and a blank page.
> Interestingly, in /etc/tomcat7/policy.d/40_«redacted».policy, there is a
> grant:
>
> grant codeBase "file:/srv/hm/HPM54/WebApp-«Redacted»/-" {
> ⋮
> permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat";
> }
>
> ... adding another grant for accessClassInPackage.org.apache.tomcat.util.http
> seems to get it working again, but that's not something you'd expect without
> warning from a security update.We follow upstream releases of Tomcat 7 closely. Unfortunately I can't tell why your webapp needs those permissions without having a look at the source code. It is quite possible that your previous security permissions were insufficient and just worked because of a bug in Tomcat 7 that got fixed alongside the last security update. I recommend to file an upstream bug report instead because Debian ships the latest upstream release without making any behavioral changes. [1] The upstream developers will more likely be able to track this issue down. Regards, Markus [1] https://tomcat.apache.org/bugreport.html
signature.asc
Description: OpenPGP digital signature
