Le 7/12/2016 à 20:16, Arne Nordmark a écrit : > OK. I first built 7.0.56-3+deb8u5 as distributed, installed, and > verified that your example works but not my webapp. Then I added the > loop to validateGlobalResourceAccess() (patch attached), reinstalled > libtomcat7-java, restarted tomcat7, and verified that both webapps now work. > > Thanks for your patience,
Thanks a lot for the tests Arne. We are basically missing the commit 1763236 [1] that added the recursion through the classloader hierarchy. This commit wasn't documented as related to CVE-2016-6797. I'll add it in the next update. The tomcat8 package is also affected. Emmanuel Bourg [1] https://svn.apache.org/r1763236
