Hi Emmanuel, On Thu, Jun 11, 2026 at 11:28:06PM +0200, Emmanuel Bourg wrote: > Control: found -1 3.14.0 > > > Le 30/12/2023 à 21:13, Salvatore Bonaccorso a écrit : > > Source: jline3 > > Version: 3.3.1-3 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > Hi, > > > > The following vulnerability was published for jline3. > > > > CVE-2023-50572[0]: > > | An issue in the component GroovyEngine.execute of jline-groovy > > | v3.24.1 allows attackers to cause an OOM (OutofMemory) error. > > > > Now I'm not completely sure about the assessment. The code in 3.3.1 > > got some refactoring in laeter version and the upstream commit from > > 3.25.0 fixing the issue would not apply cleanly, but I'm not 100% > > convinced htat the issue is only introduced later. Please double check > > that. In case not, where was the issue introduced, can we pin-point > > that? > > Groovy support was introduced in JLine 3.14.0 [1], so our old 3.3.1 version > is not affected by CVE-2023-50572.
Thanks, I have updated the security-tracker information. Regards, Salvatore
