Bug#849949: version: tomcat7 (7.0.28-4+deb7u8)

Emmanuel Bourg ebourg at apache.org
Mon Jan 2 17:00:42 UTC 2017


Hi Karten,

Thank you for the report.

It looks like the patch for CVE-2016-6816 applied in 7.0.28-4+deb7u7 is
incomplete. The patch removes the AstAttribute class but
SecurityClassLoad still attempts to load it (along with other classes in
the same package, also removed).

This issue is specific to the version of tomcat7 in Wheezy, in Jessie
the AstAttribute class no longer exists.

Emmanuel Bourg



More information about the pkg-java-maintainers mailing list