-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David,
On 5/25/16 11:41 AM, David kerber wrote: > On 5/25/2016 11:12 AM, Christopher Schultz wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> Mark, >> >> On 5/24/16 10:06 AM, Mark Thomas wrote: >>> TL;DR If you use remote JMX, you need to update your JVM to >>> address CVE-2016-3427 >>> >>> For the longer version, see the blog post I just published on >>> this: >>> http://engineering.pivotal.io/post/java-deserialization-jmx/ >> >> Okay, I give up: what version of Java 8 actually has this patch? >> Oracle's site gives me the runaround and tells me that it's been >> patched in April, but I have no idea what version of Java was >> published in April, and Oracle's site seems very reticent to tell >> me :( >> >> The CVEs have virtuall no information other than "something bad >> exists in some versions of some stuff, and you should upgrade". >> Upgrade to what ? > > Wouldn't it just be the latest? Presumably so, but do you really want to read between the lines for a security advisory? This should be much more clear to the reader. At face value, it appears that precisely 5 versions are effected, when the truth is much worse. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAldFyhgACgkQ9CaO5/Lv0PBPigCgmCNXhA/kEiJRI5J5sUVunKmG VNgAmwcBS1DRQy9NBnQRoARFdLbUqHu6 =TuoZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org