Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [SECURITY] [DSA 5290-1] commons-configuration2 security update

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [SECURITY] [DSA 5290-1] commons-configuration2 security update


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: Markus Koschany <apo AT debian.org>
  • To: debian-security-announce AT lists.debian.org
  • Subject: [IT-SecNots] [SECURITY] [DSA 5290-1] commons-configuration2 security update
  • Date: Mon, 28 Nov 2022 11:38:15 +0000
  • Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=none; spf=none (mail.piratenpartei.de: domain of "bounce-debian-security-announce=it-securitynotifies=lists.piratenpartei.de AT lists.debian.org" has no SPF policy when checking 82.195.75.100) smtp.mailfrom="bounce-debian-security-announce=it-securitynotifies=lists.piratenpartei.de AT lists.debian.org"
  • List-archive: https://lists.debian.org/msgid-search/Y4Sdp729CDfFkgtd AT seger.debian.org
  • List-id: <debian-security-announce.lists.debian.org>
  • List-url: <http://lists.debian.org/debian-security-announce/>
  • Old-dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.seger; h=Content-Type:MIME-Version:Message-ID:Subject:To:From:Date :Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: In-Reply-To:References; bh=Yp4X46RMEly9x+PmMnsyjqMB6VuOB/CPfyhrLerMRA8=; b=lO BrhLURWcO9K/8yqStGgdktk7mV2VvJeMYWg19xcQfXnZFPe2L87wWGSHYkSza2RQyh/SBmzIZyxr3 luUrU9R4pecqCF0erLlMi5LH+DhCNYQ05r+CKa+CX7gwAz5TNX8am9VNJgMXhJFGC28Qpujw8TPS4 DT1SR1tcGWuqOGhS2edFjHOvfpksv/+dxJxO7vMEZbmjKUkYZTxUVuqu0ZSXG/l1DVsLAVH4d20II 0iALo3iB5nplwN3OaA7K5gXtJJA/35wVYU5OYhZlJVipMGt9Rc2dpIEGtj3tmrmUF2Iwa94gXC+dt s2QltSCLLkp1/kjP3RiiNd2mkfgVOBXA==;
  • Old-return-path: <apo AT seger.debian.org>
  • Priority: urgent
  • Resent-date: Mon, 28 Nov 2022 11:54:13 +0000 (UTC)
  • Resent-from: debian-security-announce AT lists.debian.org
  • Resent-message-id: <1jmQByScY-O.A.mbC.kFKhjB@bendel>
  • Resent-sender: debian-security-announce-request AT lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5290-1 security AT debian.org
https://www.debian.org/security/ Markus Koschany
November 28, 2022 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : commons-configuration2
CVE ID : CVE-2022-33980
Debian Bug : 1014960

Apache Commons Configuration, a Java library providing a generic configuration
interface, performs variable interpolation, allowing properties to be
dynamically evaluated and expanded. Starting with version 2.4 and continuing
through 2.7, the set of default Lookup instances included interpolators that
could result in arbitrary code execution or contact with remote servers. These
lookups are: - "script" - execute expressions using the JVM script execution
engine (javax.script) - "dns" - resolve dns records - "url" - load values from
urls, including from remote server applications using the interpolation
defaults in the affected versions may be vulnerable to remote code execution
or
unintentional contact with remote servers if untrusted configuration values
are
used.

For the stable distribution (bullseye), this problem has been fixed in
version 2.8.0-1~deb11u1.

We recommend that you upgrade your commons-configuration2 packages.

For the detailed security status of commons-configuration2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/commons-configuration2

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOEnGNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTfixAAmUQeUZMfhGZTOpy54duxupRdD9aUOa7K2wYvEt2QmHa+2rusZX2NZnFq
veVHX7N1n2gZq8LJVOUMQjWhtjO1mz73+0jmmzSlYtbarscflGRmRCn7HlHwnjAQ
KFbhRf9DAkKbXVLquwMbviNZthhNg4Y01XvTWrxBorjqMI5DSl1cE5nH7c0gTOSJ
QAuEuOnF2Rf9RHHzabRhrGTiWDgRjstMwUQm3eUet3U8Mcm7hpNGKvJt+rlnlY3k
+tH6FkDqr7Vo+Ban2eEzmtlxsZM75HlsIg+oq7HaRtmd/L0wthlF/VcZuCYAqJsH
RF5L1Xrvsp3/rGXcKV1y5mOCHI+WUvgYRyoir6xW5UMlc7wABMBlsMGN5HcUN+5Y
RDTairCWGULTpD3iRv+Nj61JLE9T9tBqX4j+mJ4TlRW5Sl26o/yX6pFZpb2Fj896
awb7ZRJaq1iV1jhSmxTTh5EdR9/JxJyB+CXN3gAAlWrffJhJaQZW43jIHKO6+J70
GJZfx5s+c6WXpuZQ51qMfEvghOPgCuyB5MIRMVazEGXrU++xylUfTjwepZ5akEip
SaMaCpnk1EecVMiLdeu2tlrJgm8XJdGXcofUpryM76dgDNe1ghKbTL3AEdb2C9+e
n5xGDJDXHm0xR99oIHoUU6l8k8MggkahuuugF9P09FohGC6Z8a8=
=JxWQ
-----END PGP SIGNATURE-----


  • [IT-SecNots] [SECURITY] [DSA 5290-1] commons-configuration2 security update, Markus Koschany, 28.11.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang