On 26.11.2016 17:00, Markus Koschany wrote: > On 22.11.2016 11:17, Emmanuel Bourg wrote: >> Three more CVEs have just been announced, a bit more serious this time : >> CVE-2016-6816 Apache Tomcat Information Disclosure >> CVE-2016-8735 Apache Tomcat Remote Code Execution >> CVE-2016-6817 Apache Tomcat Denial of Service >> >> I'll prepare the stable and jessie-backports updates for tomcat7 and >> tomcat8 today. testing/unstable already have the fixed versions. >> > > Hi, > > I have pushed the updates for Wheezy which is only affected by > CVE-2016-6816 and CVE-2016-8735. Could you isolate the bug in > CVE-2016-6797.patch? What exactly was missing from ResourceLinkFactory.java? >
Since I haven't heard anything yet I'm going to backport ResourceLinkFactory.java as a precaution and release the security announcement tomorrow. Markus
signature.asc
Description: OpenPGP digital signature
