Tags: security upstream
cpnrodzc7, working with HP's Zero Day Initiative, discovered that
Java applications using standard Java serialization mechanisms to
decode untrusted data, and that have Groovy on their classpath, can
be passed a serialized object that will cause the application to
execute arbitrary code.
This is issue has been marked as fixed in Groovy 2.4.4 and a standalone
security patch has been made available.
CVE-2015-3253 has been assigned to this issue.
Please mention it in the changelog when fixing the issue.
* Security update
* Fixing commit (on 2.4.x branch)
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.