what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Debian Security Advisory 5290-1

Debian Security Advisory 5290-1
Posted Nov 28, 2022
Authored by Debian | Site debian.org

Debian Linux Security Advisory 5290-1 - Apache Commons Configuration, a Java library providing a generic configuration interface, performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.

tags | advisory, java, remote, arbitrary, code execution
systems | linux, debian
advisories | CVE-2022-33980
SHA-256 | 20b74b9fbd86a759f5b71128ce07de054cfbec59f6d32a7281454300d1ea201e

Debian Security Advisory 5290-1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5290-1 security@debian.org
https://www.debian.org/security/ Markus Koschany
November 28, 2022 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : commons-configuration2
CVE ID : CVE-2022-33980
Debian Bug : 1014960

Apache Commons Configuration, a Java library providing a generic configuration
interface, performs variable interpolation, allowing properties to be
dynamically evaluated and expanded. Starting with version 2.4 and continuing
through 2.7, the set of default Lookup instances included interpolators that
could result in arbitrary code execution or contact with remote servers. These
lookups are: - "script" - execute expressions using the JVM script execution
engine (javax.script) - "dns" - resolve dns records - "url" - load values from
urls, including from remote server applications using the interpolation
defaults in the affected versions may be vulnerable to remote code execution or
unintentional contact with remote servers if untrusted configuration values are
used.

For the stable distribution (bullseye), this problem has been fixed in
version 2.8.0-1~deb11u1.

We recommend that you upgrade your commons-configuration2 packages.

For the detailed security status of commons-configuration2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/commons-configuration2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOEnGNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTfixAAmUQeUZMfhGZTOpy54duxupRdD9aUOa7K2wYvEt2QmHa+2rusZX2NZnFq
veVHX7N1n2gZq8LJVOUMQjWhtjO1mz73+0jmmzSlYtbarscflGRmRCn7HlHwnjAQ
KFbhRf9DAkKbXVLquwMbviNZthhNg4Y01XvTWrxBorjqMI5DSl1cE5nH7c0gTOSJ
QAuEuOnF2Rf9RHHzabRhrGTiWDgRjstMwUQm3eUet3U8Mcm7hpNGKvJt+rlnlY3k
+tH6FkDqr7Vo+Ban2eEzmtlxsZM75HlsIg+oq7HaRtmd/L0wthlF/VcZuCYAqJsH
RF5L1Xrvsp3/rGXcKV1y5mOCHI+WUvgYRyoir6xW5UMlc7wABMBlsMGN5HcUN+5Y
RDTairCWGULTpD3iRv+Nj61JLE9T9tBqX4j+mJ4TlRW5Sl26o/yX6pFZpb2Fj896
awb7ZRJaq1iV1jhSmxTTh5EdR9/JxJyB+CXN3gAAlWrffJhJaQZW43jIHKO6+J70
GJZfx5s+c6WXpuZQ51qMfEvghOPgCuyB5MIRMVazEGXrU++xylUfTjwepZ5akEip
SaMaCpnk1EecVMiLdeu2tlrJgm8XJdGXcofUpryM76dgDNe1ghKbTL3AEdb2C9+e
n5xGDJDXHm0xR99oIHoUU6l8k8MggkahuuugF9P09FohGC6Z8a8=JxWQ
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close