Debian Linux Security Advisory 3403-1 - This update backports changes from the commons-collections 3.2.2 release which disable the deserialisation of the functors classes unless the system property org.apache.commons.collections.enableUnsafeSerialization is set to 'true'. This fixes a vulnerability in unsafe applications deserialising objects from untrusted sources without sanitizing the InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.
adb69be65adb4f0344cb7814e5ad87030f8cc2266e9ab7f0c44f39ba3b02bcb2-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3403-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 24, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libcommons-collections3-java
This update backports changes from the commons-collections 3.2.2 release
which disable the deserialisation of the functors classes unless the
system property org.apache.commons.collections.enableUnsafeSerialization
is set to 'true'. This fixes a vulnerability in unsafe applications
deserialising objects from untrusted sources without sanitising the
input data. Classes considered unsafe are: CloneTransformer, ForClosure,
InstantiateFactory, InstantiateTransformer, InvokerTransformer,
PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.
For the oldstable distribution (wheezy), this problem has been fixed
in version 3.2.1-5+deb7u1.
For the stable distribution (jessie), this problem has been fixed in
version 3.2.1-7+deb8u1.
For the testing distribution (stretch), this problem has been fixed
in version 3.2.2-1.
For the unstable distribution (sid), this problem has been fixed in
version 3.2.2-1.
We recommend that you upgrade your libcommons-collections3-java packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWVNYVAAoJEBDCk7bDfE42UmAP/28K+6CTQscOJ4b1mkmCFars
SW9T0BOmN0P0bFtk4yk+u2ROXXZN0ZKBtvlnG0ftMCfNKPUuO2a51m/LcoCsby07
NPdm8KBs+/UUiCjbvLxq7V9+FGgIhiG7ybTWu7eOQWIQTUa5fkgA6429Vk9xragU
i9TcZWiLgUwEQB5knTSFh1pe7VNzGL/Fz/5rzoIeMw8UbaZJQKUU+41eAaIGRshl
b/Gbu0huSHXJYz675IjnW77H2AwVe/BjM1yuiprbcLmmBRyp1KWNYACizrCilyi7
7bItgVuV7qujP0E3o9i07yI4KdTkle6+GlurOXBfOhW0z8kCw96cOhqS7xdMucaE
gM0ewLMxDLq94ZUQTjBboeDfv3xBCyZ/1sgKrrgyUCJymgLkFao9cPLz4JlyzNMG
hE+3tooNTlrR+aapgk81hdNaaveDuJnuzkOS+H1wB2jPphTwJI0BKmWGC4jQtu8M
11q1cJmaUfrC8PNwscm0z2ySqH4+L9Az1fAxg3I8Jeq1KuuK4Oitaj5ir0DFe0zT
cfU4Y7SqyousRj5wu+WuuMqOcRSjWV2/ACc0HMCcg0OjB5U0pKB8lid8qJSaKNg6
V9zM6VoyVCTsYgagAI9q11dLmscgkhnjIaur/Ego8CYq7hGTH1frGfvfBA3xy/Or
kINmeHAt/6Nf3mzSURQX
=8470
-----END PGP SIGNATURE-----
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed