Your message dated Sun, 26 Jul 2015 03:34:49 +0000 with message-id <e1zjci9-00056v...@franck.debian.org> and subject line Bug#793398: fixed in groovy2 2.2.2+dfsg-5 has caused the Debian Bug report #793398, regarding Remote execution of untrusted code, DoS (CVE-2015-3253) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 793398: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793398 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: groovy2 Version: 2.2.2+dfsg-3 Severity: grave Tags: security upstream cpnrodzc7, working with HP's Zero Day Initiative, discovered that Java applications using standard Java serialization mechanisms to decode untrusted data, and that have Groovy on their classpath, can be passed a serialized object that will cause the application to execute arbitrary code. This is issue has been marked as fixed in Groovy 2.4.4 and a standalone security patch has been made available. CVE-2015-3253 has been assigned to this issue. Please mention it in the changelog when fixing the issue. References: * Bulletin http://seclists.org/bugtraq/2015/Jul/78 * Security update http://groovy-lang.org/security.html * Fixing commit https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d Cheers, Luca -- System Information: Debian Release: 8.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: groovy2 Source-Version: 2.2.2+dfsg-5 We believe that the bug you reported is fixed in the latest version of groovy2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 793...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Miguel Landaeta <nomad...@debian.org> (supplier of updated groovy2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 25 Jul 2015 21:08:32 -0300 Source: groovy2 Binary: groovy2 groovy2-doc Architecture: source all Version: 2.2.2+dfsg-5 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Miguel Landaeta <nomad...@debian.org> Description: groovy2 - Agile dynamic language for the Java Virtual Machine groovy2-doc - Agile dynamic language for the Java Virtual Machine (documentatio Closes: 793398 793635 Changes: groovy2 (2.2.2+dfsg-5) unstable; urgency=high . * Use debian version for commons-cli dependency. (Closes: #793635). * Fix remote execution of untrusted code and possible DoS vulnerability. (CVE-2015-3253) (Closes: #793398). Checksums-Sha1: 016bf7b7a749d8034ecf542991db77d198e0ab46 2292 groovy2_2.2.2+dfsg-5.dsc 11501040c9093c59a2428fb4733053b97effdd99 21768 groovy2_2.2.2+dfsg-5.debian.tar.xz 97f1319e40344a3907c3fb8676ef3db4e6dd2937 2628980 groovy2-doc_2.2.2+dfsg-5_all.deb 8e069872f02bda6a7e7dd1b58bb5d2193213976d 18145570 groovy2_2.2.2+dfsg-5_all.deb Checksums-Sha256: 3cecfdfdbc41e57ef732bf1a9e488708d9b31b4eff3688b81c601c49cff8b916 2292 groovy2_2.2.2+dfsg-5.dsc 98176bfa93dc63438e4ed29dd534857174f726f487bae11faf90c01c47f918c9 21768 groovy2_2.2.2+dfsg-5.debian.tar.xz 2d4e0782a2268ce8df1dfad7bc2e543e4e281a6b91de94f917b25a140c109cb9 2628980 groovy2-doc_2.2.2+dfsg-5_all.deb d103cf112501991659e270a512f724f7088a04c2bf6b5b53290d2f612b8edb0b 18145570 groovy2_2.2.2+dfsg-5_all.deb Files: 3f7faa35c8e152c0fabb5fd225acbc18 2292 java optional groovy2_2.2.2+dfsg-5.dsc 95327989159466b78eb276acb19d9982 21768 java optional groovy2_2.2.2+dfsg-5.debian.tar.xz 132da75a707503425e277450f19f347c 2628980 doc optional groovy2-doc_2.2.2+dfsg-5_all.deb d24e8bac5bc1292b5b0a74570989d366 18145570 java optional groovy2_2.2.2+dfsg-5_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVtEELAAoJEGIODQuJV82lNIMP/jxHne5GorgHLrw2EfuqSXSK 31VrpCpHoM7yQHTXIsG5anZAUBkbbROxmCwEtxK/9hWZE4QIBhKX4el7m6hpw+rj VVXsi/FDQtW10mrBkDIUeHpj/S1yuSWYHAP+7TsxiZojb8brFAp6auP4XS9s30uB IZkRUCnO6lhWzN+8To76NF/kZpHWw+cqNpA4gdsgI/gX+CIDCtJPuRl/4BX8ckp5 1RgHQup0kji+gozA1MTtWYMEj/0pokM4ciHQu2By1MSS0KO0Mhjo2TclkT0AokiW 3fE711p07JP+1oqKUHGsZnlS2YEYFMLv+qMRtUe6kjjDVwyCgY2ZK6gtRl4WwBMP tf4Q5uwxh3jSB94hYGX2xJHxFTGeq9vtOq2LY9VuMQq4hrb9PshHRpLs4E9fl1l7 AXlQS4gBH1A50orletGKx9Sco3shoaxuE9/Q8FIpkmdy7XmV4qWPgOXeqtTJkrYy J3kG8casAPSMDAXPHKob9knmKIDYkDywb0fvw09/ZOeI7MKAkCzJh8ycSBjvCiF5 xswQrCO74GVMMPf4zCbAx4GPc2qWf2VFinTS5MPUDkOFDxfDyjwC/YGveW6b6aJi F2pBd0C5SaQ7hdBLXb1U7P8H3CenXFaxdTgC3ifDaNLcBct7DfTjFbWA0wtgS1CG CxdhRbEV7fhoBvrUQ6WF =/aWc -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
