it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [SECURITY] [DSA 3403-1] libcommons-collections3-java security update
Chronologisch Thread
- From: Moritz Muehlenhoff <jmm AT debian.org>
- To: debian-security-announce AT lists.debian.org
- Subject: [IT-SecNots] [SECURITY] [DSA 3403-1] libcommons-collections3-java security update
- Date: Tue, 24 Nov 2015 22:27:47 +0100
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
- List-url: <http://lists.debian.org/debian-security-announce/>
- Old-return-path: <jmm AT inutil.org>
- Priority: urgent
- Resent-date: Tue, 24 Nov 2015 21:28:06 +0000 (UTC)
- Resent-from: debian-security-announce AT lists.debian.org
- Resent-message-id: <L-vHwV5P1MN.A.kKD.mZNVWB@bendel>
- Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3403-1 security AT debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 24, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libcommons-collections3-java
This update backports changes from the commons-collections 3.2.2 release
which disable the deserialisation of the functors classes unless the
system property org.apache.commons.collections.enableUnsafeSerialization
is set to 'true'. This fixes a vulnerability in unsafe applications
deserialising objects from untrusted sources without sanitising the
input data. Classes considered unsafe are: CloneTransformer, ForClosure,
InstantiateFactory, InstantiateTransformer, InvokerTransformer,
PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.
For the oldstable distribution (wheezy), this problem has been fixed
in version 3.2.1-5+deb7u1.
For the stable distribution (jessie), this problem has been fixed in
version 3.2.1-7+deb8u1.
For the testing distribution (stretch), this problem has been fixed
in version 3.2.2-1.
For the unstable distribution (sid), this problem has been fixed in
version 3.2.2-1.
We recommend that you upgrade your libcommons-collections3-java packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWVNYVAAoJEBDCk7bDfE42UmAP/28K+6CTQscOJ4b1mkmCFars
SW9T0BOmN0P0bFtk4yk+u2ROXXZN0ZKBtvlnG0ftMCfNKPUuO2a51m/LcoCsby07
NPdm8KBs+/UUiCjbvLxq7V9+FGgIhiG7ybTWu7eOQWIQTUa5fkgA6429Vk9xragU
i9TcZWiLgUwEQB5knTSFh1pe7VNzGL/Fz/5rzoIeMw8UbaZJQKUU+41eAaIGRshl
b/Gbu0huSHXJYz675IjnW77H2AwVe/BjM1yuiprbcLmmBRyp1KWNYACizrCilyi7
7bItgVuV7qujP0E3o9i07yI4KdTkle6+GlurOXBfOhW0z8kCw96cOhqS7xdMucaE
gM0ewLMxDLq94ZUQTjBboeDfv3xBCyZ/1sgKrrgyUCJymgLkFao9cPLz4JlyzNMG
hE+3tooNTlrR+aapgk81hdNaaveDuJnuzkOS+H1wB2jPphTwJI0BKmWGC4jQtu8M
11q1cJmaUfrC8PNwscm0z2ySqH4+L9Az1fAxg3I8Jeq1KuuK4Oitaj5ir0DFe0zT
cfU4Y7SqyousRj5wu+WuuMqOcRSjWV2/ACc0HMCcg0OjB5U0pKB8lid8qJSaKNg6
V9zM6VoyVCTsYgagAI9q11dLmscgkhnjIaur/Ego8CYq7hGTH1frGfvfBA3xy/Or
kINmeHAt/6Nf3mzSURQX
=8470
-----END PGP SIGNATURE-----
- [IT-SecNots] [SECURITY] [DSA 3403-1] libcommons-collections3-java security update, Moritz Muehlenhoff, 24.11.2015
Archiv bereitgestellt durch MHonArc 2.6.19.