Missing commit for CVE-2016-5018 on the security pages

[Emmanuel Bourg <eb...@apache.org>]

Hi,

I've backported the fix for CVE-2016-5018 in Debian which removed the
PrivilegedIntrospectHelper inner class in JspRuntimeLibrary, but I got
bitten by the bug 60101 (the removed class was loaded though reflection
in two other classes). The security pages do not mention the extra
commit addressing this issue. Could someone update the pages and mention
the commits please?

Tomcat 7:   https://svn.apache.org/r1760309
Tomcat 8:   https://svn.apache.org/r1760307
Tomcat 8.5: https://svn.apache.org/r1760305
Tomcat 9:   https://svn.apache.org/r1760300

Thank you,

Emmanuel Bourg

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: Missing commit for CVE-2016-5018 on the security pages

[Mark Thomas <ma...@apache.org>]

On 05/12/2016 15:17, Emmanuel Bourg wrote:
> Hi,
> 
> I've backported the fix for CVE-2016-5018 in Debian which removed the
> PrivilegedIntrospectHelper inner class in JspRuntimeLibrary, but I got
> bitten by the bug 60101 (the removed class was loaded though reflection
> in two other classes). The security pages do not mention the extra
> commit addressing this issue. Could someone update the pages and mention
> the commits please?

Done. For 6.0.x as well.

Mark

> 
> Tomcat 7:   https://svn.apache.org/r1760309
> Tomcat 8:   https://svn.apache.org/r1760307
> Tomcat 8.5: https://svn.apache.org/r1760305
> Tomcat 9:   https://svn.apache.org/r1760300
> 
> Thank you,
> 
> Emmanuel Bourg
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org