This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository tomcat7.
commit a0ac64ddb5528a9ce8736075e54f6d890b1ae4c8 Author: Emmanuel Bourg <[email protected]> Date: Mon Dec 5 17:53:55 2016 +0100 CVE-2016-5018 follow-up: Fixed the ClassNotFoundException when the security manager is enabled (Closes: #846298) --- debian/changelog | 3 +++ debian/patches/CVE-2016-5018.patch | 23 +++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/debian/changelog b/debian/changelog index 4530d0b..6ad52a1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,9 @@ tomcat7 (7.0.56-3+deb8u6) UNRELEASED; urgency=medium package is upgraded. Thanks to Paul Szabo for the report (see #845393) * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat7 package is purged. Thanks to Paul Szabo for the report (see #845385) + * CVE-2016-5018 follow-up: Applied a missing modification fixing + a ClassNotFoundException when the security manager is enabled + (Closes: #846298) * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator with recent JREs * Refreshed the expired SSL certificates used by the tests diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch index 0666882..e0d83d4 100644 --- a/debian/patches/CVE-2016-5018.patch +++ b/debian/patches/CVE-2016-5018.patch @@ -2,6 +2,7 @@ Description: Fixes CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. Origin: backport, http://svn.apache.org/r1754902 + http://svn.apache.org/r1760309 --- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java +++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java @@ -14,7 +14,6 @@ @@ -98,3 +99,25 @@ Origin: backport, http://svn.apache.org/r1754902 Method method = null; Class<?> type = null; Class<?> propertyEditorClass = null; +--- a/java/org/apache/jasper/compiler/JspRuntimeContext.java ++++ b/java/org/apache/jasper/compiler/JspRuntimeContext.java +@@ -90,8 +90,6 @@ + factory.getClass().getClassLoader().loadClass( basePackage + + "runtime.JspRuntimeLibrary"); + factory.getClass().getClassLoader().loadClass( basePackage + +- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); +- factory.getClass().getClassLoader().loadClass( basePackage + + "runtime.ServletResponseWrapperInclude"); + factory.getClass().getClassLoader().loadClass( basePackage + + "servlet.JspServletWrapper"); +--- a/java/org/apache/jasper/security/SecurityClassLoad.java ++++ b/java/org/apache/jasper/security/SecurityClassLoad.java +@@ -46,8 +46,6 @@ + + loader.loadClass( basePackage + + "runtime.JspRuntimeLibrary"); +- loader.loadClass( basePackage + +- "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); + + loader.loadClass( basePackage + + "runtime.ServletResponseWrapperInclude"); -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
