On 08/12/2016 00:37, Emmanuel Bourg wrote: > Hi, > > The security pages are missing another commit, this time for > CVE-2016-6797. The newly added validateGlobalResourceAccess method in > ResourceLinkFactory was later modified to iterate over the classloader > hierarchy. Without this modification some applications are no longer > able to access their datasource (this happened to Debian users [1] > installing the latest security update). > > Here are the commits per version if someone could update the pages: > > Tomcat 6: https://svn.apache.org/r1763237 > Tomcat 7: https://svn.apache.org/r1763236 > Tomcat 8: https://svn.apache.org/r1763234 > Tomcat 8.5: https://svn.apache.org/r1763233 > Tomcat 9: https://svn.apache.org/r1763232
Added. The commits on the security pages are meant to be just those required to fix the vulnerability. Back-porters may need additional commits for various reasons: a) prior commits that aligned the code with later versions prior to the security fix being applied b) commits that create new configuration options to provide work-arounds for side-effects of security fixes c) commits that address regressions caused by security fixes. to name the first few that come to mind. I'm +0.5 on including those under c) above although I wonder if we should differentiate them on the security pages somehow. I'm not convinced that a), b) or any others should be included. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
