-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark,
On 5/24/16 10:06 AM, Mark Thomas wrote: > TL;DR If you use remote JMX, you need to update your JVM to address > CVE-2016-3427 > > For the longer version, see the blog post I just published on > this: http://engineering.pivotal.io/post/java-deserialization-jmx/ Okay, I give up: what version of Java 8 actually has this patch? Oracle's site gives me the runaround and tells me that it's been patched in April, but I have no idea what version of Java was published in April, and Oracle's site seems very reticent to tell me :( The CVEs have virtuall no information other than "something bad exists in some versions of some stuff, and you should upgrade". Upgrade to what ? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74 tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9 =g9B3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org