Your message dated Mon, 02 May 2016 22:42:09 +0000 with message-id <e1axmxz-0008fp...@franck.debian.org> and subject line Bug#793397: fixed in groovy 2.4.6-1 has caused the Debian Bug report #793397, regarding Remote execution of untrusted code, DoS (CVE-2015-3253) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 793397: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793397 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: groovy Version: 1.8.6-1 Severity: grave Tags: security upstream cpnrodzc7, working with HP's Zero Day Initiative, discovered that Java applications using standard Java serialization mechanisms to decode untrusted data, and that have Groovy on their classpath, can be passed a serialized object that will cause the application to execute arbitrary code. This is issue has been marked as fixed in Groovy 2.4.4 and a standalone security patch has been made available. CVE-2015-3253 has been assigned to this issue. Please mention it in the changelog when fixing the issue. References: * Bulletin http://seclists.org/bugtraq/2015/Jul/78 * Security update http://groovy-lang.org/security.html * Fixing commit (on 2.4.x branch) https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d -- System Information: Debian Release: 8.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: groovy Source-Version: 2.4.6-1 We believe that the bug you reported is fixed in the latest version of groovy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 793...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated groovy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 02 May 2016 22:14:13 +0200 Source: groovy Binary: groovy groovy-doc Architecture: source all Version: 2.4.6-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: groovy - Agile dynamic language for the Java Virtual Machine groovy-doc - Agile dynamic language for the Java Virtual Machine (documentatio Closes: 793397 793630 800859 Changes: groovy (2.4.6-1) unstable; urgency=medium . * Team upload. * New upstream release - Closes: #793397, #793630, #800859 - Refreshed the patches - Updated the poms * Reverted to groovy as the package name * Depend on libasm-java (>= 5.0) instead of libasm4-java * Removed the build dependency on libcobertura-java * Standards-Version updated to 3.9.8 (no changes) * Use secure Vcs-* URLs * Updated debian/watch to track the latest releases * Removed the unused debian/orig-tar.sh script Checksums-Sha1: 5872c64000e045fc81082d33b1964f1fbad28e3e 2307 groovy_2.4.6-1.dsc 7d7e25c4b024bd478e14454301bda03f14f150fa 2975660 groovy_2.4.6.orig.tar.xz 92ad9e2c2c6f3da770130230d2bd980412569e98 23228 groovy_2.4.6-1.debian.tar.xz 66b1f95ff9bb00573cd5210934cdc31265110628 3206478 groovy-doc_2.4.6-1_all.deb 023e351e87582f49036eb199bcbb326c5695ea2d 11787994 groovy_2.4.6-1_all.deb Checksums-Sha256: e8d83a0d8fd94cb5f7f226929b84a8a943426abc4298112fcdc0ce0f325ee360 2307 groovy_2.4.6-1.dsc 2d9ad2f0ededcc486ace193fb0768690423e389b89559772596a4ca16b6264e0 2975660 groovy_2.4.6.orig.tar.xz 760a0df409b43ad009d4508f646bb1dc7a69c637d0b07f969b8486e80b2737e8 23228 groovy_2.4.6-1.debian.tar.xz 64a1675d3e2f27a3bac9c8f7063e560f7b99da67ad6da2c4e02ced2cdbf25610 3206478 groovy-doc_2.4.6-1_all.deb fa72ebe1937562fd80bd68f062a59f100cce349719f5f827eebc7eedd444ebd3 11787994 groovy_2.4.6-1_all.deb Files: 2e546c8432c27e98a984a0cb2a1ab997 2307 java optional groovy_2.4.6-1.dsc 3624580b04cfc8f5a7a14aa517e55dd9 2975660 java optional groovy_2.4.6.orig.tar.xz 8d4dced4912751252d078452dcc1efb4 23228 java optional groovy_2.4.6-1.debian.tar.xz 72c521633f15fbbec929b6fd0aee88d9 3206478 doc optional groovy-doc_2.4.6-1_all.deb aa81cb5269a9f0b79eb059b649cc6b69 11787994 java optional groovy_2.4.6-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXJ7gcAAoJEPUTxBnkudCsM/YP/iR9XBG51B8diO8NQ0d4sgy3 WppZ/1VdaeBBAz5V9TvFm3zMz0PlbpWlazGve2I+rE1Xr5pPCv7vNaWB6G7bUNs2 egaRM99x+NRpBXkXJZlK8DZOAtkJ96Ht0g26KwYk+gTW5QW/X9o+L3vHOW6JY3+N yvVruvlwu1hnpTQh8a6NQh0LWbKqXzn5WKitahkH5itWcP+LE47olTG/85wk1njI E+9zjJkINfRiH93ZAacQQPTgdSCYBdAT7lZGGgF1Fwua4qS/o5eJ5CP1tZMaHF+9 08s8J7kFSn0XIwOATqhx+eACIL4s69P7vLmVzvfVJB/VDa9bzkc7QeVS5ULQOfar qhSmEKGNsS/txumivttx9tzVtXSkcCKw+b/ry2Qkw+8ewJ1OXHcXL0XUg7RbUrin HP4pJdRq+xBXdDUtzGqPqpO/TUS8npLaScXia4RCwsOPsqEMRnB2N/lSGYSMxSVi hu7eadun7bs94JT+UNpqPa1/A/iVYMktaa+scMnd9J/n+Wgpb2SMOWi9X8qasCMJ VkXb6+M9q2SE47zL4jLY/JtzUz0FyLWk48cB7Ghl7i4YX+S0edpCAQvPvmbk0l2/ WlEViPFM4mzxq560chzEXYSt/dRvozS2a26MkWIWqmEnmrvl6noocp49XI5Sgerd hcWhLbCELvBI0rhDxlxP =VXBv -----END PGP SIGNATURE-----
--- End Message ---
