[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20151124212746.GA5039@pisco.westfalen.local>
Date: Tue, 24 Nov 2015 22:27:47 +0100
From: Moritz Muehlenhoff <jmm@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 3403-1] libcommons-collections3-java security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3403-1 security@...ian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 24, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libcommons-collections3-java
This update backports changes from the commons-collections 3.2.2 release
which disable the deserialisation of the functors classes unless the
system property org.apache.commons.collections.enableUnsafeSerialization
is set to 'true'. This fixes a vulnerability in unsafe applications
deserialising objects from untrusted sources without sanitising the
input data. Classes considered unsafe are: CloneTransformer, ForClosure,
InstantiateFactory, InstantiateTransformer, InvokerTransformer,
PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.
For the oldstable distribution (wheezy), this problem has been fixed
in version 3.2.1-5+deb7u1.
For the stable distribution (jessie), this problem has been fixed in
version 3.2.1-7+deb8u1.
For the testing distribution (stretch), this problem has been fixed
in version 3.2.2-1.
For the unstable distribution (sid), this problem has been fixed in
version 3.2.2-1.
We recommend that you upgrade your libcommons-collections3-java packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@...ts.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWVNYVAAoJEBDCk7bDfE42UmAP/28K+6CTQscOJ4b1mkmCFars
SW9T0BOmN0P0bFtk4yk+u2ROXXZN0ZKBtvlnG0ftMCfNKPUuO2a51m/LcoCsby07
NPdm8KBs+/UUiCjbvLxq7V9+FGgIhiG7ybTWu7eOQWIQTUa5fkgA6429Vk9xragU
i9TcZWiLgUwEQB5knTSFh1pe7VNzGL/Fz/5rzoIeMw8UbaZJQKUU+41eAaIGRshl
b/Gbu0huSHXJYz675IjnW77H2AwVe/BjM1yuiprbcLmmBRyp1KWNYACizrCilyi7
7bItgVuV7qujP0E3o9i07yI4KdTkle6+GlurOXBfOhW0z8kCw96cOhqS7xdMucaE
gM0ewLMxDLq94ZUQTjBboeDfv3xBCyZ/1sgKrrgyUCJymgLkFao9cPLz4JlyzNMG
hE+3tooNTlrR+aapgk81hdNaaveDuJnuzkOS+H1wB2jPphTwJI0BKmWGC4jQtu8M
11q1cJmaUfrC8PNwscm0z2ySqH4+L9Az1fAxg3I8Jeq1KuuK4Oitaj5ir0DFe0zT
cfU4Y7SqyousRj5wu+WuuMqOcRSjWV2/ACc0HMCcg0OjB5U0pKB8lid8qJSaKNg6
V9zM6VoyVCTsYgagAI9q11dLmscgkhnjIaur/Ego8CYq7hGTH1frGfvfBA3xy/Or
kINmeHAt/6Nf3mzSURQX
=8470
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists