[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-security
Subject: Re: [SECURITY] [DSA 3403-1] libcommons-collections3-java security update
From: Fredrik Kers <fredrik.kers () netrounds ! com>
Date: 2015-11-25 7:31:39
Message-ID: CAKkp-KRjjAF-0PFyMMB5GQOVaL2=wZXcQmQefJsN7WuwawfO7Q () mail ! gmail ! com
[Download RAW message or body]
Not used
On Tue, Nov 24, 2015 at 10:27 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-3403-1 security@debian.org
> https://www.debian.org/security/ Moritz Muehlenhoff
> November 24, 2015 https://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package : libcommons-collections3-java
>
> This update backports changes from the commons-collections 3.2.2 release
> which disable the deserialisation of the functors classes unless the
> system property org.apache.commons.collections.enableUnsafeSerialization
> is set to 'true'. This fixes a vulnerability in unsafe applications
> deserialising objects from untrusted sources without sanitising the
> input data. Classes considered unsafe are: CloneTransformer, ForClosure,
> InstantiateFactory, InstantiateTransformer, InvokerTransformer,
> PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.
>
> For the oldstable distribution (wheezy), this problem has been fixed
> in version 3.2.1-5+deb7u1.
>
> For the stable distribution (jessie), this problem has been fixed in
> version 3.2.1-7+deb8u1.
>
> For the testing distribution (stretch), this problem has been fixed
> in version 3.2.2-1.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 3.2.2-1.
>
> We recommend that you upgrade your libcommons-collections3-java packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJWVNYVAAoJEBDCk7bDfE42UmAP/28K+6CTQscOJ4b1mkmCFars
> SW9T0BOmN0P0bFtk4yk+u2ROXXZN0ZKBtvlnG0ftMCfNKPUuO2a51m/LcoCsby07
> NPdm8KBs+/UUiCjbvLxq7V9+FGgIhiG7ybTWu7eOQWIQTUa5fkgA6429Vk9xragU
> i9TcZWiLgUwEQB5knTSFh1pe7VNzGL/Fz/5rzoIeMw8UbaZJQKUU+41eAaIGRshl
> b/Gbu0huSHXJYz675IjnW77H2AwVe/BjM1yuiprbcLmmBRyp1KWNYACizrCilyi7
> 7bItgVuV7qujP0E3o9i07yI4KdTkle6+GlurOXBfOhW0z8kCw96cOhqS7xdMucaE
> gM0ewLMxDLq94ZUQTjBboeDfv3xBCyZ/1sgKrrgyUCJymgLkFao9cPLz4JlyzNMG
> hE+3tooNTlrR+aapgk81hdNaaveDuJnuzkOS+H1wB2jPphTwJI0BKmWGC4jQtu8M
> 11q1cJmaUfrC8PNwscm0z2ySqH4+L9Az1fAxg3I8Jeq1KuuK4Oitaj5ir0DFe0zT
> cfU4Y7SqyousRj5wu+WuuMqOcRSjWV2/ACc0HMCcg0OjB5U0pKB8lid8qJSaKNg6
> V9zM6VoyVCTsYgagAI9q11dLmscgkhnjIaur/Ego8CYq7hGTH1frGfvfBA3xy/Or
> kINmeHAt/6Nf3mzSURQX
> =8470
> -----END PGP SIGNATURE-----
>
>
--
*Fredrik Kers* | CTO | linkedin.com/company/netrounds
<https://www.linkedin.com/company/netrounds>
<mats.nordlund@netrounds.com>
*Netrounds* | Storgatan 9 | 972 38 LuleƄ | Sweden | www.netrounds.com
[Attachment #3 (text/html)]
<div dir="ltr">Not used<br></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Tue, Nov 24, 2015 at 10:27 PM, Moritz Muehlenhoff <span \
dir="ltr"><<a href="mailto:jmm@debian.org" \
target="_blank">jmm@debian.org</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
- -------------------------------------------------------------------------<br>
Debian Security Advisory DSA-3403-1 <a \
href="mailto:security@debian.org">security@debian.org</a><br> <a \
href="https://www.debian.org/security/" rel="noreferrer" \
target="_blank">https://www.debian.org/security/</a> \
Moritz Muehlenhoff<br> November 24, 2015 <a \
href="https://www.debian.org/security/faq" rel="noreferrer" \
target="_blank">https://www.debian.org/security/faq</a><br>
- -------------------------------------------------------------------------<br>
<br>
Package : libcommons-collections3-java<br>
<br>
This update backports changes from the commons-collections 3.2.2 release<br>
which disable the deserialisation of the functors classes unless the<br>
system property org.apache.commons.collections.enableUnsafeSerialization<br>
is set to 'true'. This fixes a vulnerability in unsafe applications<br>
deserialising objects from untrusted sources without sanitising the<br>
input data. Classes considered unsafe are: CloneTransformer, ForClosure,<br>
InstantiateFactory, InstantiateTransformer, InvokerTransformer,<br>
PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.<br>
<br>
For the oldstable distribution (wheezy), this problem has been fixed<br>
in version 3.2.1-5+deb7u1.<br>
<br>
For the stable distribution (jessie), this problem has been fixed in<br>
version 3.2.1-7+deb8u1.<br>
<br>
For the testing distribution (stretch), this problem has been fixed<br>
in version 3.2.2-1.<br>
<br>
For the unstable distribution (sid), this problem has been fixed in<br>
version 3.2.2-1.<br>
<br>
We recommend that you upgrade your libcommons-collections3-java packages.<br>
<br>
Further information about Debian Security Advisories, how to apply<br>
these updates to your system and frequently asked questions can be<br>
found at: <a href="https://www.debian.org/security/" rel="noreferrer" \
target="_blank">https://www.debian.org/security/</a><br> <br>
Mailing list: <a href="mailto:debian-security-announce@lists.debian.org">debian-security-announce@lists.debian.org</a><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
iQIcBAEBCAAGBQJWVNYVAAoJEBDCk7bDfE42UmAP/28K+6CTQscOJ4b1mkmCFars<br>
SW9T0BOmN0P0bFtk4yk+u2ROXXZN0ZKBtvlnG0ftMCfNKPUuO2a51m/LcoCsby07<br>
NPdm8KBs+/UUiCjbvLxq7V9+FGgIhiG7ybTWu7eOQWIQTUa5fkgA6429Vk9xragU<br>
i9TcZWiLgUwEQB5knTSFh1pe7VNzGL/Fz/5rzoIeMw8UbaZJQKUU+41eAaIGRshl<br>
b/Gbu0huSHXJYz675IjnW77H2AwVe/BjM1yuiprbcLmmBRyp1KWNYACizrCilyi7<br>
7bItgVuV7qujP0E3o9i07yI4KdTkle6+GlurOXBfOhW0z8kCw96cOhqS7xdMucaE<br>
gM0ewLMxDLq94ZUQTjBboeDfv3xBCyZ/1sgKrrgyUCJymgLkFao9cPLz4JlyzNMG<br>
hE+3tooNTlrR+aapgk81hdNaaveDuJnuzkOS+H1wB2jPphTwJI0BKmWGC4jQtu8M<br>
11q1cJmaUfrC8PNwscm0z2ySqH4+L9Az1fAxg3I8Jeq1KuuK4Oitaj5ir0DFe0zT<br>
cfU4Y7SqyousRj5wu+WuuMqOcRSjWV2/ACc0HMCcg0OjB5U0pKB8lid8qJSaKNg6<br>
V9zM6VoyVCTsYgagAI9q11dLmscgkhnjIaur/Ego8CYq7hGTH1frGfvfBA3xy/Or<br>
kINmeHAt/6Nf3mzSURQX<br>
=8470<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div \
dir="ltr"><p style="margin:0px;font-size:10px;font-family:Verdana;color:rgb(7,55,99)"><b></b></p><p \
style="margin:0px;font-size:10px;font-family:Verdana;color:rgb(7,55,99)"><b>Fredrik \
Kers</b> | CTO | <a href="https://www.linkedin.com/company/netrounds" \
style="font-family:arial,sans-serif;font-size:13px;color:rgb(17,85,204);text-align:-webkit-auto" \
target="_blank"><font size="1" \
face="Verdana">linkedin.com/company/netrounds</font></a></p>
<p style="margin:0px;font-size:10px;font-family:Verdana;color:rgb(18,85,204)"><span \
style="font-family:Corbel;color:rgb(7,55,99)"><a \
href="mailto:mats.nordlund@netrounds.com" target="_blank"><span \
style="font-family:Verdana;color:rgb(18,85,204)"></span></a></span></p>
<p style="margin:0px;font-size:10px;font-family:Verdana;color:rgb(7,55,99)"><span \
style="font-family:Corbel"></span><b>Netrounds</b> | Storgatan 9 | 972 38 LuleƄ | \
Sweden | <a href="http://www.netrounds.com/" target="_blank"><span \
style="color:rgb(18,85,204)">www.netrounds.com</span></a></p></div></div> </div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic