The patch is here: -> https://issues.apache.org/jira/secure/attachment/12771520/COLLECTIONS-580.patch
Suggestion for the Ubuntu changelog if the cherrypick approach is taken: The commons-collections library was discovered by foxglovesecurity to allow pre-auth code execution in environments that may deserialize user input. This is particularly true of JBoss, because it has its management interface attached to the default web socket. Any application using commons-collections is at risk if there is a way to input crafted serialized data. Cherrypick COLLECTIONS-580.patch from commons-collections3-3.2.2.jar to fix the vulnerability referred to in CVE-2015-4852 (No CVE has been assigned to commons-collections, where the actual implementation issue is). The patch disables deserialization of untrusted data by default. By setting the system property DESERIALIZE to true, the old (dangerous) behavior can be reinstated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1514985 Title: Arbitrary remote code execution with InvokerTransformer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcommons-collections3-java/+bug/1514985/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
