1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3403-1] libcommons-collections3-java security update

    From Moritz Muehlenhoff@1:229/2 to All on Tue Nov 24 22:30:03 2015
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3403-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff November 24, 2015 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : libcommons-collections3-java

    This update backports changes from the commons-collections 3.2.2 release
    which disable the deserialisation of the functors classes unless the
    system property org.apache.commons.collections.enableUnsafeSerialization
    is set to 'true'. This fixes a vulnerability in unsafe applications deserialising objects from untrusted sources without sanitising the
    input data. Classes considered unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.

    For the oldstable distribution (wheezy), this problem has been fixed
    in version 3.2.1-5+deb7u1.

    For the stable distribution (jessie), this problem has been fixed in
    version 3.2.1-7+deb8u1.

    For the testing distribution (stretch), this problem has been fixed
    in version 3.2.2-1.

    For the unstable distribution (sid), this problem has been fixed in
    version 3.2.2-1.

    We recommend that you upgrade your libcommons-collections3-java packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQIcBAEBCAAGBQJWVNYVAAoJEBDCk7bDfE42UmAP/28K+6CTQscOJ4b1mkmCFars SW9T0BOmN0P0bFtk4yk+u2ROXXZN0ZKBtvlnG0ftMCfNKPUuO2a51m/LcoCsby07 NPdm8KBs+/UUiCjbvLxq7V9+FGgIhiG7ybTWu7eOQWIQTUa5fkgA6429Vk9xragU i9TcZWiLgUwEQB5knTSFh1pe7VNzGL/Fz/5rzoIeMw8UbaZJQKUU+41eAaIGRshl b/Gbu0huSHXJYz675IjnW77H2AwVe/BjM1yuiprbcLmmBRyp1KWNYACizrCilyi7 7bItgVuV7qujP0E3o9i07yI4KdTkle6+GlurOXBfOhW0z8kCw96cOhqS7xdMucaE gM0ewLMxDLq94ZUQTjBboeDfv3xBCyZ/1sgKrrgyUCJymgLkFao9cPLz4JlyzNMG hE+3tooNTlrR+aapgk81hdNaaveDuJnuzkOS+H1wB2jPphTwJI0BKmWGC4jQtu8M 11q1cJmaUfrC8PNwscm0z2ySqH4+L9Az1fAxg3I8Jeq1KuuK4Oitaj5ir0DFe0zT cfU4Y7SqyousRj5wu+WuuMqOcRSjWV2/ACc0HMCcg0OjB5U0pKB8lid8qJSaKNg6 V9zM6VoyVCTsYgagAI9q11dLmscgkhnjIaur/Ego8CYq7hGTH1frGfvfBA3xy/Or kINmeHAt/6Nf3mzSURQX
    =8470
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)
  • From Fredrik Kers@1:229/2 to Moritz Muehlenhoff on Wed Nov 25 08:50:02 2015
    XPost: linux.debian.security
    From: [email protected]

    --001a11c38cdef284cb0525587251
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    Not used

    On Tue, Nov 24, 2015 at 10:27 PM, Moritz Muehlenhoff <[email protected]> wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3403-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff November 24, 2015 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : libcommons-collections3-java

    This update backports changes from the commons-collections 3.2.2 release which disable the deserialisation of the functors classes unless the
    system property org.apache.commons.collections.enableUnsafeSerialization
    is set to 'true'. This fixes a vulnerability in unsafe applications deserialising objects from untrusted sources without sanitising the
    input data. Classes considered unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.

    For the oldstable distribution (wheezy), this problem has been fixed
    in version 3.2.1-5+deb7u1.

    For the stable distribution (jessie), this problem has been fixed in
    version 3.2.1-7+deb8u1.

    For the testing distribution (stretch), this problem has been fixed
    in version 3.2.2-1.

    For the unstable distribution (sid), this problem has been fixed in
    version 3.2.2-1.

    We recommend that you upgrade your libcommons-collections3-java packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2

    iQIcBAEBCAAGBQJWVNYVAAoJEBDCk7bDfE42UmAP/28K+6CTQscOJ4b1mkmCFars SW9T0BOmN0P0bFtk4yk+u2ROXXZN0ZKBtvlnG0ftMCfNKPUuO2a51m/LcoCsby07 NPdm8KBs+/UUiCjbvLxq7V9+FGgIhiG7ybTWu7eOQWIQTUa5fkgA6429Vk9xragU i9TcZWiLgUwEQB5knTSFh1pe7VNzGL/Fz/5rzoIeMw8UbaZJQKUU+41eAaIGRshl b/Gbu0huSHXJYz675IjnW77H2AwVe/BjM1yuiprbcLmmBRyp1KWNYACizrCilyi7 7bItgVuV7qujP0E3o9i07yI4KdTkle6+GlurOXBfOhW0z8kCw96cOhqS7xdMucaE gM0ewLMxDLq94ZUQTjBboeDfv3xBCyZ/1sgKrrgyUCJymgLkFao9cPLz4JlyzNMG hE+3tooNTlrR+aapgk81hdNaaveDuJnuzkOS+H1wB2jPphTwJI0BKmWGC4jQtu8M 11q1cJmaUfrC8PNwscm0z2ySqH4+L9Az1fAxg3I8Jeq1KuuK4Oitaj5ir0DFe0zT cfU4Y7SqyousRj5wu+WuuMqOcRSjWV2/ACc0HMCcg0OjB5U0pKB8lid8qJSaKNg6 V9zM6VoyVCTsYgagAI9q11dLmscgkhnjIaur/Ego8CYq7hGTH1frGfvfBA3xy/Or kINmeHAt/6Nf3mzSURQX
    =8470
    -----END PGP SIGNATURE-----




    --

    *Fredrik Kers* | CTO | linkedin.com/company/netrounds <https://www.linkedin.com/company/netrounds>

    <[email protected]>

    *Netrounds* | Storgatan 9 | 972 38 Luleå | Sweden | www.netrounds.com

    --001a11c38cdef284cb0525587251
    Content-Type: text/html; charset=UTF-8
    Content-Transfer-Encoding: quoted-printable

    <div dir="ltr">Not used<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 24, 2015 at 10:27 PM, Moritz Muehlenhoff <span dir="ltr">&lt;<a href="mailto:[email protected]" target="_blank">[email protected]</a>&gt;</span> wrote:<br><
    blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
    Hash: SHA256<br>

    - -------------------------------------------------------------------------<br> Debian Security Advisory DSA-3403-1                   <a href="mailto:[email protected]">[email protected]</a><br>
    <a href="https://www.debian.org/security/" rel="noreferrer" t