Hello, Am 23.10.18 um 21:20 schrieb Anthony DeRobertis: > Package: tomcat7 > Version: 7.0.56-3+really7.0.91-1 > Severity: important > > After applying the recent security update, the web app we're running > (which is unfortunately a proprietary product provided by a vendor) no > longer works. Instead, I get an exception and a blank page. > Interestingly, in /etc/tomcat7/policy.d/40_«redacted».policy, there is a > grant: > > grant codeBase "file:/srv/hm/HPM54/WebApp-«Redacted»/-" { > ⋮ > permission java.lang.RuntimePermission > "accessClassInPackage.org.apache.tomcat"; > } > > ... adding another grant for accessClassInPackage.org.apache.tomcat.util.http > seems to get it working again, but that's not something you'd expect without > warning from a security update.
We follow upstream releases of Tomcat 7 closely. Unfortunately I can't tell why your webapp needs those permissions without having a look at the source code. It is quite possible that your previous security permissions were insufficient and just worked because of a bug in Tomcat 7 that got fixed alongside the last security update. I recommend to file an upstream bug report instead because Debian ships the latest upstream release without making any behavioral changes. [1] The upstream developers will more likely be able to track this issue down. Regards, Markus [1] https://tomcat.apache.org/bugreport.html
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.