Hello,
Am 23.10.18 um 21:20 schrieb Anthony DeRobertis:
> Package: tomcat7
> Version: 7.0.56-3+really7.0.91-1
> Severity: important
>
> After applying the recent security update, the web app we're running
> (which is unfortunately a proprietary product provided by a vendor) no
> longer works. Instead, I get an exception and a blank page.
> Interestingly, in /etc/tomcat7/policy.d/40_«redacted».policy, there is a
> grant:
>
> grant codeBase "file:/srv/hm/HPM54/WebApp-«Redacted»/-" {
> ⋮
> permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
> }
>
> ... adding another grant for accessClassInPackage.org.apache.tomcat.util.http
> seems to get it working again, but that's not something you'd expect without
> warning from a security update.
We follow upstream releases of Tomcat 7 closely. Unfortunately I can't
tell why your webapp needs those permissions without having a look at
the source code. It is quite possible that your previous security
permissions were insufficient and just worked because of a bug in Tomcat
7 that got fixed alongside the last security update. I recommend to file
an upstream bug report instead because Debian ships the latest upstream
release without making any behavioral changes. [1] The upstream
developers will more likely be able to track this issue down.
Regards,
Markus
[1] https://tomcat.apache.org/bugreport.html
Attachment:
signature.asc
Description: OpenPGP digital signature