Upstream has released 3.2.2, acknowledging the affected code in 3.0 thru 3.2.1 as dangerously broken. -> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=15006492&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15006492
Oracle seems to be okay with using CVE-2015-4852 for this vulnerability. For that reason, I think a seperate CVE may not be forthcoming. -> http://www.openwall.com/lists/oss-security/2015/11/18/1 Upstream will not release a fixed 3.2.1 -> https://issues.apache.org/jira/browse/COLLECTIONS-580?focusedCommentId=14996208&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14996208 For Ubuntu, I see two options: * Upgrade to 3.2.2 * Cherrypick the changes between 3.2.2 and 3.2.1 that affect deserialization ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2015-4852 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1514985 Title: Arbitrary remote code execution with InvokerTransformer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
