Package: groovy Version: 1.8.6-1 Severity: grave Tags: security upstream cpnrodzc7, working with HP's Zero Day Initiative, discovered that Java applications using standard Java serialization mechanisms to decode untrusted data, and that have Groovy on their classpath, can be passed a serialized object that will cause the application to execute arbitrary code.
This is issue has been marked as fixed in Groovy 2.4.4 and a standalone security patch has been made available. CVE-2015-3253 has been assigned to this issue. Please mention it in the changelog when fixing the issue. References: * Bulletin http://seclists.org/bugtraq/2015/Jul/78 * Security update http://groovy-lang.org/security.html * Fixing commit (on 2.4.x branch) https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d -- System Information: Debian Release: 8.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.