This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository tomcat8.
commit ea8fec374a4bf469ed85a9954ee00a453ff31bed Author: Emmanuel Bourg <[email protected]> Date: Mon Dec 5 17:47:26 2016 +0100 CVE-2016-5018 follow-up: Fixed the ClassNotFoundException when the security manager is enabled (see #846298) --- debian/changelog | 2 ++ debian/patches/CVE-2016-5018.patch | 27 ++++++++++++++++++++++++--- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index 8c45cb1..d3cfda0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -16,6 +16,8 @@ tomcat8 (8.0.14-1+deb8u5) UNRELEASED; urgency=medium * Backported the fix for upstream bug 57377: Remove the restriction that prevented the use of SSL when specifying a bind address for the JMX/RMI server. Enable SSL to be configured for the registry as well as the server. + * CVE-2016-5018 follow-up: Applied a missing modification fixing + a ClassNotFoundException when the security manager is enabled (see #846298) * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator with recent JREs * Backported a fix disabling the broken SSLv3 tests diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch index bb39983..17460a0 100644 --- a/debian/patches/CVE-2016-5018.patch +++ b/debian/patches/CVE-2016-5018.patch @@ -2,8 +2,7 @@ Description: Fixes CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. Origin: backport, http://svn.apache.org/r1754901 -diff --git a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java -index e3b53ca..19d8fa6 100644 + http://svn.apache.org/r1760307 --- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java +++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java @@ -14,7 +14,6 @@ @@ -69,7 +68,7 @@ index e3b53ca..19d8fa6 100644 /** * Returns the value of the javax.servlet.error.exception request * attribute value, if present, otherwise the value of the -@@ -292,29 +257,7 @@ public static void introspect(Object bean, ServletRequest request) +@@ -292,29 +257,7 @@ public static void introspecthelper(Object bean, String prop, String value, ServletRequest request, String param, boolean ignoreMethodNF) @@ -100,3 +99,25 @@ index e3b53ca..19d8fa6 100644 Method method = null; Class<?> type = null; Class<?> propertyEditorClass = null; +--- a/java/org/apache/jasper/security/SecurityClassLoad.java ++++ b/java/org/apache/jasper/security/SecurityClassLoad.java +@@ -44,8 +44,6 @@ + + loader.loadClass( basePackage + + "runtime.JspRuntimeLibrary"); +- loader.loadClass( basePackage + +- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); + + loader.loadClass( basePackage + + "runtime.ServletResponseWrapperInclude"); +--- a/java/org/apache/jasper/servlet/JasperInitializer.java ++++ b/java/org/apache/jasper/servlet/JasperInitializer.java +@@ -60,8 +60,6 @@ + factory.getClass().getClassLoader().loadClass( basePackage + + "runtime.JspRuntimeLibrary"); + factory.getClass().getClassLoader().loadClass( basePackage + +- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); +- factory.getClass().getClassLoader().loadClass( basePackage + + "runtime.ServletResponseWrapperInclude"); + factory.getClass().getClassLoader().loadClass( basePackage + + "servlet.JspServletWrapper"); -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
