Your message dated Wed, 19 Aug 2015 18:17:06 +0000
with message-id <e1zs7v8-0006b4...@franck.debian.org>
and subject line Bug#793398: fixed in groovy2 2.2.2+dfsg-3+deb8u1
has caused the Debian Bug report #793398,
regarding Remote execution of untrusted code, DoS (CVE-2015-3253)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
793398: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793398
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: groovy2
Version: 2.2.2+dfsg-3
Severity: grave
Tags: security upstream

cpnrodzc7, working with HP's Zero Day Initiative, discovered that
Java applications using standard Java serialization mechanisms to
decode untrusted data, and that have Groovy on their classpath, can
be passed a serialized object that will cause the application to
execute arbitrary code.

This is issue has been marked as fixed in Groovy 2.4.4 and a standalone
security patch has been made available.

CVE-2015-3253 has been assigned to this issue. 
Please mention it in the changelog when fixing the issue.

References:
 * Bulletin
   http://seclists.org/bugtraq/2015/Jul/78
 * Security update
   http://groovy-lang.org/security.html
 * Fixing commit
   
https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d

Cheers, Luca

-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message ---
Source: groovy2
Source-Version: 2.2.2+dfsg-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
groovy2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 793...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miguel Landaeta <nomad...@debian.org> (supplier of updated groovy2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Jul 2015 15:46:24 -0300
Source: groovy2
Binary: groovy2 groovy2-doc
Architecture: source all
Version: 2.2.2+dfsg-3+deb8u1
Distribution: stable
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <nomad...@debian.org>
Description:
 groovy2    - Agile dynamic language for the Java Virtual Machine
 groovy2-doc - Agile dynamic language for the Java Virtual Machine (documentatio
Closes: 793398
Changes:
 groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high
 .
   * Fix remote execution of untrusted code and possible DoS vulnerability.
     (CVE-2015-3253) (Closes: #793398).
Checksums-Sha1:
 ad8ea7c47389f27192f6d4b5529d13e136f37c3f 2346 groovy2_2.2.2+dfsg-3+deb8u1.dsc
 530f6a099fc2cd7256fddb3a86ae6377b226d44e 2675205 groovy2_2.2.2+dfsg.orig.tar.gz
 0949bfc0a92d3eed74e0f09a74456aaa06760390 21672 
groovy2_2.2.2+dfsg-3+deb8u1.debian.tar.xz
 40097dcb94aa3e408d781d339817b08a89dac214 18123242 
groovy2_2.2.2+dfsg-3+deb8u1_all.deb
 e63961125ede7e7d26935347537f3b23fba68b97 2639026 
groovy2-doc_2.2.2+dfsg-3+deb8u1_all.deb
Checksums-Sha256:
 6f08a3d4ed67f2f6654e0ab5c4b9401b9e95319fdc971ee85269692149dbd9f6 2346 
groovy2_2.2.2+dfsg-3+deb8u1.dsc
 4462f185fa5f839952a4d82e74d8f638868409abfa593b570556f4ea882769b1 2675205 
groovy2_2.2.2+dfsg.orig.tar.gz
 972bf5a76dfa35c7eaf54ea74ab1df5c88ecfd7c127e841b263019325ea0989d 21672 
groovy2_2.2.2+dfsg-3+deb8u1.debian.tar.xz
 d2acf68e2c76d6ee5afb17a9efc080d4e5d22e7ebc0fbb67f20fe9fcda1209ff 18123242 
groovy2_2.2.2+dfsg-3+deb8u1_all.deb
 778cab433da7ec98b60c8511614bd26e76c6d3174d1a149e170d5577f1b6b02b 2639026 
groovy2-doc_2.2.2+dfsg-3+deb8u1_all.deb
Files:
 afaf13f2cf8969dc431b55cefbaf2109 2346 java optional 
groovy2_2.2.2+dfsg-3+deb8u1.dsc
 31d5eb3c92d1ba108578f59900ff019e 2675205 java optional 
groovy2_2.2.2+dfsg.orig.tar.gz
 9c7cf938d1afc0a0288b1d760fbb43cc 21672 java optional 
groovy2_2.2.2+dfsg-3+deb8u1.debian.tar.xz
 ea9a574d15b143468eeef11323f4eddb 18123242 java optional 
groovy2_2.2.2+dfsg-3+deb8u1_all.deb
 a99e67e8670a2e8fc415952e6b05dbc6 2639026 doc optional 
groovy2-doc_2.2.2+dfsg-3+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV0kpAAAoJEGIODQuJV82l2cAQAJuGZRE7LkDpg4P6AFml2EBU
hdGVFZnXqfNSVoc46BO8106S0VRijCoQBQhvdxsQ8cYrh+ZJ/Ul2w36PRLCxqe6f
E86dwvIdWqbYvQFbIeY8mm4InJRDZpn7XyhLZsqB/LycVsBIIvMr0DnvvPj3E9If
4BJ2Q6G8+plELTQVeVTo5whsm9aBMCbm5npMNCWEZ++9IsxDHn1B7K7d6mcKZ9m+
02FIPrQodJaqDliIc7KeWvonHMCVdHyDsRaPmdkbYzF+WXZLjRcAKryVzryrRtEv
IiAivclq5ih3oRgkV5c9i+r6gLsdah0r6jBUuKXiyAHNHKyjbVyCK+yoiGkXEhZs
Vuzn3PPEHuBYLplc6uYWuXfZgr077HkN8hNRPJdNnysJ3ut0o8e1dTiArFnaYgrY
l8OqL7BR/EtG8UNSVzkCeAPYjYHEIcsa7yRvua4mtllf0q2ZTHvFEBO1LI/jmzRw
KCUNagI20ucF5lZ3+oWDI0ir4oU+SFg1uju2231RAuj5hA8ELwRgWPqYygiJvEPp
C45kKyJCQlTrXao7rFTJrAN022MFfw4fZYEoBl1R5Umbh1gsJKY8P2Mruwihavjw
Rz0T9XrvsGEtWbbfUuJQcClC+vAW3zKrjlyUSafRbiSxxYX4xhUXOH+JqdP78xRt
ddd4Hvn3J+a6/MZZoS/C
=ttYb
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to