diff -Nru tomcat7-7.0.52/debian/changelog tomcat7-7.0.52/debian/changelog
--- tomcat7-7.0.52/debian/changelog	2017-01-19 17:53:04.000000000 +0000
+++ tomcat7-7.0.52/debian/changelog	2017-02-01 15:44:08.000000000 +0000
@@ -1,3 +1,12 @@
+tomcat7 (7.0.52-1ubuntu0.9) trusty-security; urgency=medium
+
+  * SECURITY REGRESSION: security manager startup issue (LP: #1659589)
+    - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch:
+      update to new /var/lib/tomcat7/policy location.
+    - debian/tomcat7.postrm.in: remove policy directory.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 01 Feb 2017 10:40:22 -0500
+
 tomcat7 (7.0.52-1ubuntu0.8) trusty-security; urgency=medium
 
   * SECURITY UPDATE: SecurityManager bypass via a utility method
diff -Nru tomcat7-7.0.52/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch tomcat7-7.0.52/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch
--- tomcat7-7.0.52/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch	2014-02-21 06:11:51.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch	2017-02-01 15:38:58.000000000 +0000
@@ -19,7 +19,7 @@
          -sourcepath "$CATALINA_HOME"/../../java \
          -Djava.security.manager \
 -        -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \
-+        -Djava.security.policy=="$CATALINA_BASE"/work/catalina.policy \
++        -Djava.security.policy=="$CATALINA_BASE"/policy/catalina.policy \
          -Dcatalina.base="$CATALINA_BASE" \
          -Dcatalina.home="$CATALINA_HOME" \
          -Djava.io.tmpdir="$CATALINA_TMPDIR" \
@@ -28,7 +28,7 @@
        -Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath "\"$CLASSPATH\"" \
        -Djava.security.manager \
 -      -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \
-+      -Djava.security.policy=="\"$CATALINA_BASE/work/catalina.policy\"" \
++      -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \
        -Dcatalina.base="\"$CATALINA_BASE\"" \
        -Dcatalina.home="\"$CATALINA_HOME\"" \
        -Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
@@ -37,7 +37,7 @@
        -Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath "\"$CLASSPATH\"" \
        -Djava.security.manager \
 -      -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \
-+      -Djava.security.policy=="\"$CATALINA_BASE/work/catalina.policy\"" \
++      -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \
        -Dcatalina.base="\"$CATALINA_BASE\"" \
        -Dcatalina.home="\"$CATALINA_HOME\"" \
        -Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \
diff -Nru tomcat7-7.0.52/debian/tomcat7.postrm.in tomcat7-7.0.52/debian/tomcat7.postrm.in
--- tomcat7-7.0.52/debian/tomcat7.postrm.in	2017-01-19 17:34:51.000000000 +0000
+++ tomcat7-7.0.52/debian/tomcat7.postrm.in	2017-02-01 15:39:11.000000000 +0000
@@ -8,6 +8,7 @@
 
 # Remove cached files and auto-generated catalina.policy
 rm -rf /var/cache/tomcat7/*
+rm -rf /var/lib/tomcat7/policy
 
 case "$1" in
     remove)