-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3403-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 24, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libcommons-collections3-java This update backports changes from the commons-collections 3.2.2 release which disable the deserialisation of the functors classes unless the system property org.apache.commons.collections.enableUnsafeSerialization is set to 'true'. This fixes a vulnerability in unsafe applications deserialising objects from untrusted sources without sanitising the input data. Classes considered unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure. For the oldstable distribution (wheezy), this problem has been fixed in version 3.2.1-5+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 3.2.1-7+deb8u1. For the testing distribution (stretch), this problem has been fixed in version 3.2.2-1. For the unstable distribution (sid), this problem has been fixed in version 3.2.2-1. We recommend that you upgrade your libcommons-collections3-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWVNYVAAoJEBDCk7bDfE42UmAP/28K+6CTQscOJ4b1mkmCFars SW9T0BOmN0P0bFtk4yk+u2ROXXZN0ZKBtvlnG0ftMCfNKPUuO2a51m/LcoCsby07 NPdm8KBs+/UUiCjbvLxq7V9+FGgIhiG7ybTWu7eOQWIQTUa5fkgA6429Vk9xragU i9TcZWiLgUwEQB5knTSFh1pe7VNzGL/Fz/5rzoIeMw8UbaZJQKUU+41eAaIGRshl b/Gbu0huSHXJYz675IjnW77H2AwVe/BjM1yuiprbcLmmBRyp1KWNYACizrCilyi7 7bItgVuV7qujP0E3o9i07yI4KdTkle6+GlurOXBfOhW0z8kCw96cOhqS7xdMucaE gM0ewLMxDLq94ZUQTjBboeDfv3xBCyZ/1sgKrrgyUCJymgLkFao9cPLz4JlyzNMG hE+3tooNTlrR+aapgk81hdNaaveDuJnuzkOS+H1wB2jPphTwJI0BKmWGC4jQtu8M 11q1cJmaUfrC8PNwscm0z2ySqH4+L9Az1fAxg3I8Jeq1KuuK4Oitaj5ir0DFe0zT cfU4Y7SqyousRj5wu+WuuMqOcRSjWV2/ACc0HMCcg0OjB5U0pKB8lid8qJSaKNg6 V9zM6VoyVCTsYgagAI9q11dLmscgkhnjIaur/Ego8CYq7hGTH1frGfvfBA3xy/Or kINmeHAt/6Nf3mzSURQX =8470 -----END PGP SIGNATURE-----