Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <[email protected]>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #853235,
regarding jessie-pu: package groovy/2.2.2+dfsg-3+deb8u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
853235: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853235
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
groovy2 is also affected by CVE-2016-6814. The patch is almost
identical to the one used in groovy. Please find attached the debdiff.
Markus
diff -Nru groovy2-2.2.2+dfsg/debian/changelog
groovy2-2.2.2+dfsg/debian/changelog
--- groovy2-2.2.2+dfsg/debian/changelog 2015-07-25 22:20:07.000000000 +0200
+++ groovy2-2.2.2+dfsg/debian/changelog 2017-01-30 17:49:16.000000000 +0100
@@ -1,3 +1,16 @@
+groovy2 (2.2.2+dfsg-3+deb8u2) jessie; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2016-6814: It was found that a flaw in Apache Groovy, a dynamic
+ language for the Java Virtual Machine, allows remote code execution
+ wherever deserialization occurs in the application. It is possible for an
+ attacker to craft a special serialized object that will execute code
+ directly when deserialized. All applications which rely on serialization
+ and do not isolate the code which deserializes objects are subject to this
+ vulnerability.
+
+ -- Markus Koschany <[email protected]> Mon, 30 Jan 2017 17:49:16 +0100
+
groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high
* Fix remote execution of untrusted code and possible DoS vulnerability.
diff -Nru groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch
groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch
--- groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch 1970-01-01
01:00:00.000000000 +0100
+++ groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch 2017-01-30
17:49:16.000000000 +0100
@@ -0,0 +1,37 @@
+From: Markus Koschany <[email protected]>
+Date: Mon, 30 Jan 2017 17:47:46 +0100
+Subject: CVE-2016-6814
+
+Bug-Debian: https://bugs.debian.org/851408
+Origin: http://seclists.org/oss-sec/2017/q1/92
+---
+ src/main/org/codehaus/groovy/runtime/MethodClosure.java | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java
b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+index 8e4fac8..6fceb3d 100644
+--- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -19,6 +19,7 @@ import groovy.lang.Closure;
+ import groovy.lang.MetaMethod;
+
+ import java.util.List;
++import java.io.IOException;
+
+
+ /**
+@@ -69,6 +70,14 @@ public class MethodClosure extends Closure {
+ throw new UnsupportedOperationException();
+ }
+
++ private void readObject(java.io.ObjectInputStream stream) throws
++ IOException, ClassNotFoundException {
++ if (ALLOW_RESOLVE) {
++ stream.defaultReadObject();
++ }
++ throw new UnsupportedOperationException();
++ }
++
+ public Object getProperty(String property) {
+ if ("method".equals(property)) {
+ return getMethod();
diff -Nru groovy2-2.2.2+dfsg/debian/patches/series
groovy2-2.2.2+dfsg/debian/patches/series
--- groovy2-2.2.2+dfsg/debian/patches/series 2015-07-25 22:19:23.000000000
+0200
+++ groovy2-2.2.2+dfsg/debian/patches/series 2017-01-30 17:49:16.000000000
+0100
@@ -2,3 +2,4 @@
02_fix_start_script.diff
03_add_maven_poms.diff
04_CVE-2015-3253.diff
+CVE-2016-6814.patch
--- End Message ---
--- Begin Message ---
Version: 8.8
Hi,
Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!
Regards,
Adam
--- End Message ---
