Debian Linux Security Advisory 3403-1 - This update backports changes from the commons-collections 3.2.2 release which disable the deserialisation of the functors classes unless the system property org.apache.commons.collections.enableUnsafeSerialization is set to 'true'. This fixes a vulnerability in unsafe applications deserialising objects from untrusted sources without sanitizing the InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.
adb69be65adb4f0344cb7814e5ad87030f8cc2266e9ab7f0c44f39ba3b02bcb2