Hi, I've backported the fix for CVE-2016-5018 in Debian which removed the PrivilegedIntrospectHelper inner class in JspRuntimeLibrary, but I got bitten by the bug 60101 (the removed class was loaded though reflection in two other classes). The security pages do not mention the extra commit addressing this issue. Could someone update the pages and mention the commits please?
Tomcat 7: https://svn.apache.org/r1760309 Tomcat 8: https://svn.apache.org/r1760307 Tomcat 8.5: https://svn.apache.org/r1760305 Tomcat 9: https://svn.apache.org/r1760300 Thank you, Emmanuel Bourg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
