Not used On Tue, Nov 24, 2015 at 10:27 PM, Moritz Muehlenhoff <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-3403-1 [email protected] > https://www.debian.org/security/ Moritz Muehlenhoff > November 24, 2015 https://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : libcommons-collections3-java > > This update backports changes from the commons-collections 3.2.2 release > which disable the deserialisation of the functors classes unless the > system property org.apache.commons.collections.enableUnsafeSerialization > is set to 'true'. This fixes a vulnerability in unsafe applications > deserialising objects from untrusted sources without sanitising the > input data. Classes considered unsafe are: CloneTransformer, ForClosure, > InstantiateFactory, InstantiateTransformer, InvokerTransformer, > PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure. > > For the oldstable distribution (wheezy), this problem has been fixed > in version 3.2.1-5+deb7u1. > > For the stable distribution (jessie), this problem has been fixed in > version 3.2.1-7+deb8u1. > > For the testing distribution (stretch), this problem has been fixed > in version 3.2.2-1. > > For the unstable distribution (sid), this problem has been fixed in > version 3.2.2-1. > > We recommend that you upgrade your libcommons-collections3-java packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: [email protected] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJWVNYVAAoJEBDCk7bDfE42UmAP/28K+6CTQscOJ4b1mkmCFars > SW9T0BOmN0P0bFtk4yk+u2ROXXZN0ZKBtvlnG0ftMCfNKPUuO2a51m/LcoCsby07 > NPdm8KBs+/UUiCjbvLxq7V9+FGgIhiG7ybTWu7eOQWIQTUa5fkgA6429Vk9xragU > i9TcZWiLgUwEQB5knTSFh1pe7VNzGL/Fz/5rzoIeMw8UbaZJQKUU+41eAaIGRshl > b/Gbu0huSHXJYz675IjnW77H2AwVe/BjM1yuiprbcLmmBRyp1KWNYACizrCilyi7 > 7bItgVuV7qujP0E3o9i07yI4KdTkle6+GlurOXBfOhW0z8kCw96cOhqS7xdMucaE > gM0ewLMxDLq94ZUQTjBboeDfv3xBCyZ/1sgKrrgyUCJymgLkFao9cPLz4JlyzNMG > hE+3tooNTlrR+aapgk81hdNaaveDuJnuzkOS+H1wB2jPphTwJI0BKmWGC4jQtu8M > 11q1cJmaUfrC8PNwscm0z2ySqH4+L9Az1fAxg3I8Jeq1KuuK4Oitaj5ir0DFe0zT > cfU4Y7SqyousRj5wu+WuuMqOcRSjWV2/ACc0HMCcg0OjB5U0pKB8lid8qJSaKNg6 > V9zM6VoyVCTsYgagAI9q11dLmscgkhnjIaur/Ego8CYq7hGTH1frGfvfBA3xy/Or > kINmeHAt/6Nf3mzSURQX > =8470 > -----END PGP SIGNATURE----- > > -- *Fredrik Kers* | CTO | linkedin.com/company/netrounds <https://www.linkedin.com/company/netrounds> <[email protected]> *Netrounds* | Storgatan 9 | 972 38 LuleƄ | Sweden | www.netrounds.com
