On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >> TL;DR If you use remote JMX, you need to update your JVM to address >> CVE-2016-3427 >> >> For the longer version, see the blog post I just published on >> this: http://engineering.pivotal.io/post/java-deserialization-jmx/ > > Okay, I give up: what version of Java 8 actually has this patch? > Oracle's site gives me the runaround and tells me that it's been patched > in April, but I have no idea what version of Java was published in > April, and Oracle's site seems very reticent to tell me :( > > The CVEs have virtuall no information other than "something bad exists > in some versions of some stuff, and you should upgrade". Upgrade to what > ?
When I clicked on the CVE link and the link to oracle page onward in the Reference section (CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html), I could see the Java version ("Supported Versions Affected" column) in the table when I look up "CVE-2016-3427". > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAldFwPAACgkQ9CaO5/Lv0PBRjQCeOkzoLqUv6DMHkLWkEbfySe74 > tvgAnRnNMavAA9M7Y2FxoTOQ1mo8eIW9 > =g9B3 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
