Author: nomadium Date: 2015-07-25 20:27:39 +0000 (Sat, 25 Jul 2015) New Revision: 18782
Added: trunk/groovy/debian/patches/0005-CVE-2015-3253.patch Modified: trunk/groovy/debian/changelog trunk/groovy/debian/control trunk/groovy/debian/copyright trunk/groovy/debian/patches/series Log: Fix CVE-2015-3253 Modified: trunk/groovy/debian/changelog =================================================================== --- trunk/groovy/debian/changelog 2015-07-23 11:55:59 UTC (rev 18781) +++ trunk/groovy/debian/changelog 2015-07-25 20:27:39 UTC (rev 18782) @@ -1,3 +1,13 @@ +groovy (1.8.6-5) UNRELEASED; urgency=high + + * Fix remote execution of untrusted code and possible DoS vulnerability. + (CVE-2015-3253) (Closes: #793397). + * Bump Standards-Version to 3.9.6. No changes were required. + * Update copyright file: + - Fix lintian warning invalid-short-name-in-dep5-copyright. + + -- Miguel Landaeta <[email protected]> Sat, 25 Jul 2015 14:59:34 -0300 + groovy (1.8.6-4) unstable; urgency=medium * Implement alternatives usage to allow co-installation with groovy 2.x. Modified: trunk/groovy/debian/control =================================================================== --- trunk/groovy/debian/control 2015-07-23 11:55:59 UTC (rev 18781) +++ trunk/groovy/debian/control 2015-07-25 20:27:39 UTC (rev 18782) @@ -9,7 +9,7 @@ (>= 1.0.3), junit4, libmockobjects-java (>= 0.09), libregexp-java (>= 1.2), libservlet2.5-java, libxstream-java, libjline-java, antlr, tofrodos, ivy, libqdox-java, libjarjar-java (>= 1.4+svn142-4~), libjansi-java -Standards-Version: 3.9.5 +Standards-Version: 3.9.6 Homepage: http://groovy.codehaus.org/ Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/groovy Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/groovy/ Modified: trunk/groovy/debian/copyright =================================================================== --- trunk/groovy/debian/copyright 2015-07-23 11:55:59 UTC (rev 18781) +++ trunk/groovy/debian/copyright 2015-07-25 20:27:39 UTC (rev 18782) @@ -11,7 +11,7 @@ Files: src/main/org/codehaus/groovy/jsr223/* Copyright: 2006 Sun Microsystems, Inc. -License: BSD +License: BSD-3-clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Added: trunk/groovy/debian/patches/0005-CVE-2015-3253.patch =================================================================== --- trunk/groovy/debian/patches/0005-CVE-2015-3253.patch (rev 0) +++ trunk/groovy/debian/patches/0005-CVE-2015-3253.patch 2015-07-25 20:27:39 UTC (rev 18782) @@ -0,0 +1,32 @@ +Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253) +Author: Cédric Champeau <[email protected]> +Bug-Debian: https://bugs.debian.org/793397 +Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d +Forwarded: no +Last-Update: 2015-07-25 + +--- groovy-1.8.6.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java ++++ groovy-1.8.6/src/main/org/codehaus/groovy/runtime/MethodClosure.java +@@ -30,6 +30,8 @@ import java.util.List; + */ + public class MethodClosure extends Closure { + ++ public static boolean ALLOW_RESOLVE = false; ++ + private String method; + + public MethodClosure(Object owner, String method) { +@@ -52,6 +54,13 @@ public class MethodClosure extends Closu + } + } + ++ private Object readResolve() { ++ if (ALLOW_RESOLVE) { ++ return this; ++ } ++ throw new UnsupportedOperationException(); ++ } ++ + public String getMethod() { + return method; + } Modified: trunk/groovy/debian/patches/series =================================================================== --- trunk/groovy/debian/patches/series 2015-07-23 11:55:59 UTC (rev 18781) +++ trunk/groovy/debian/patches/series 2015-07-25 20:27:39 UTC (rev 18782) @@ -2,3 +2,4 @@ 0002-ant-build.diff.patch 0003-disable-bnd.diff.patch 0004-java8-compatibility.patch +0005-CVE-2015-3253.patch _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
