Hi, The security pages are missing another commit, this time for CVE-2016-6797. The newly added validateGlobalResourceAccess method in ResourceLinkFactory was later modified to iterate over the classloader hierarchy. Without this modification some applications are no longer able to access their datasource (this happened to Debian users [1] installing the latest security update).
Here are the commits per version if someone could update the pages: Tomcat 6: https://svn.apache.org/r1763237 Tomcat 7: https://svn.apache.org/r1763236 Tomcat 8: https://svn.apache.org/r1763234 Tomcat 8.5: https://svn.apache.org/r1763233 Tomcat 9: https://svn.apache.org/r1763232 Thank you, Emmanuel Bourg [1] https://bugs.debian.org/845425 --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
