[Secure-testing-team] Bug#793398: Remote execution of untrusted code, DoS (CVE-2015-3253)
Luca Bruno
lucab at debian.org
Thu Jul 23 15:52:32 UTC 2015
Package: groovy2
Version: 2.2.2+dfsg-3
Severity: grave
Tags: security upstream
cpnrodzc7, working with HP's Zero Day Initiative, discovered that
Java applications using standard Java serialization mechanisms to
decode untrusted data, and that have Groovy on their classpath, can
be passed a serialized object that will cause the application to
execute arbitrary code.
This is issue has been marked as fixed in Groovy 2.4.4 and a standalone
security patch has been made available.
CVE-2015-3253 has been assigned to this issue.
Please mention it in the changelog when fixing the issue.
References:
* Bulletin
http://seclists.org/bugtraq/2015/Jul/78
* Security update
http://groovy-lang.org/security.html
* Fixing commit
https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
Cheers, Luca
-- System Information:
Debian Release: 8.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Secure-testing-team
mailing list