Bug#845425: DataSource no longer accessible since jessie security update
Arne Nordmark
nordmark at mech.kth.se
Wed Dec 7 19:16:08 UTC 2016
Den 2016-12-07 kl. 17:35, skrev Emmanuel Bourg:
> Le 7/12/2016 à 13:28, Arne Nordmark a écrit :
>
> Thanks for the info. I'm trying to reproduce the same error but I
> haven't succeeded so far. Here is was I did:
>
...
> 9. Create a test page /var/lib/tomcat7/webapps/ROOT/test.jsp with:
>
> <%@page import="javax.naming.*,javax.sql.*" %>
> <%
> Context initContext = new InitialContext();
> Context envContext = (Context) initContext.lookup("java:/comp/env");
> DataSource ds = (DataSource) envContext.lookup("jdbc/test");
>
> out.println("DataSource: " + ds);
> %>
>
> There is still something different with your setup but I don't know what.
If I add
out.println("Loaded by: " + ds.getClass().getClassLoader());
to test.jsp I get
Loaded by: org.apache.catalina.loader.StandardClassLoader at 4876e0
so the WebappClassLoader is not being used in this example, probably
because there are no classes in the webapp.
>
>
>> Am I correct in understanding that you want me to add the loop on top of
>> version 7.0.56-3+deb8u5 without the other changes from upstream 7.0.73?
>
> Yes please.
OK. I first built 7.0.56-3+deb8u5 as disatributed, installed, and
verified that your example works but not my webapp. Then I added the
loop to validateGlobalResourceAccess() (patch attached), reinstalled
libtomcat7-java, restarted tomcat7, and verified that both webapps now work.
>
> Emmanuel Bourg
>
Thanks for your patience,
Arne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2016-6797-fix.patch
Type: text/x-patch
Size: 807 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20161207/3a397f18/attachment.bin>
More information about the pkg-java-maintainers
mailing list