Package: groovy
Version: 1.8.6-1
Severity: grave
Tags: security upstream

cpnrodzc7, working with HP's Zero Day Initiative, discovered that
Java applications using standard Java serialization mechanisms to
decode untrusted data, and that have Groovy on their classpath, can
be passed a serialized object that will cause the application to
execute arbitrary code.

This is issue has been marked as fixed in Groovy 2.4.4 and a standalone
security patch has been made available.

CVE-2015-3253 has been assigned to this issue. 
Please mention it in the changelog when fixing the issue.

References:
 * Bulletin
   http://seclists.org/bugtraq/2015/Jul/78
 * Security update
   http://groovy-lang.org/security.html
 * Fixing commit (on 2.4.x branch)
   
https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d


-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to