Control: severity -1 important I'm downgrading the severity to important for the following reasons: - this issue has been there for years in the previous tomcat packages - the actual policy violation seems to be debatable - the RC bug prevents the latest version containing security fixes from reaching testing and then jessie-backports
