https://bz.apache.org/bugzilla/show_bug.cgi?id=59247
--- Comment #17 from Konstantin Kolinko <knst.koli...@gmail.com> --- (In reply to Remy Maucherat from comment #16) > For starters, I will revert the workaround from trunk and 8.5 since it > doesn't apply. > > About preloading, ok, but it's a code change for a workaround. I don't see > why classloading access by JULI is bad, after all it is toying with the > classloader as is. Regarding this particular accessClassInPackage permission - I guess that I am still under impression of CVE-2010-1622 [3] that used to manipulate the classloader. Though that particular attack vector was closed by r966292 / r966750. [3] http://www.securityfocus.com/archive/1/511877 -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
