Debian Bug report logs -
#851408
CVE-2016-6814
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 14 Jan 2017 16:03:02 UTC
Severity: grave
Tags: security
Found in versions groovy/2.4.7-4, groovy/1.8.6-4
Fixed in version groovy/2.4.8-1
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#851408; Package src:groovy.
(Sat, 14 Jan 2017 16:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 14 Jan 2017 16:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: groovy
Severity: grave
Tags: security
Hi,
please see http://seclists.org/oss-sec/2017/q1/92
Cheers,
Moritz
Marked as found in versions groovy/2.4.7-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 14 Jan 2017 16:21:07 GMT) (full text, mbox, link).
Marked as found in versions groovy/1.8.6-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 14 Jan 2017 16:21:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#851408; Package src:groovy.
(Sun, 15 Jan 2017 10:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Bourg <ebourg@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 15 Jan 2017 10:09:08 GMT) (full text, mbox, link).
Message #14 received at 851408@bugs.debian.org (full text, mbox, reply):
Le 14/01/2017 à 16:59, Moritz Muehlenhoff a écrit :
> Source: groovy
> Severity: grave
> Tags: security
>
> Hi,
> please see http://seclists.org/oss-sec/2017/q1/92
>
> Cheers,
> Moritz
Hi Moritz,
Thank you for the info. Note that Groovy isn't to blame for this kind of
serialization issue, the real issue is applications relying on
serialization and not sanitizing the input data (i.e. applications
should whitelist the classes allowed to be deserialized, it's impossible
to use Java serialization securely otherwise).
Emmanuel Bourg
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Mon, 16 Jan 2017 00:51:20 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Jan 2017 00:51:20 GMT) (full text, mbox, link).
Message #19 received at 851408-close@bugs.debian.org (full text, mbox, reply):
Source: groovy
Source-Version: 2.4.8-1
We believe that the bug you reported is fixed in the latest version of
groovy, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 851408@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated groovy package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Jan 2017 00:44:33 +0100
Source: groovy
Binary: groovy groovy-doc groovy2
Architecture: source all
Version: 2.4.8-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
groovy - Agile dynamic language for the Java Virtual Machine
groovy-doc - Agile dynamic language for the Java Virtual Machine (documentatio
groovy2 - Agile dynamic language for the Java Virtual Machine (transitional
Closes: 851408
Changes:
groovy (2.4.8-1) unstable; urgency=high
.
* Team upload.
* New upstream release
- Fixes CVE-2016-6814: serialization vulnerability (Closes: #851408)
- Refreshed the patches
- Updated the poms
* Disabled parallel building
Checksums-Sha1:
9c8012c83a65ba03e7ee01d8db3493cc4d702549 2390 groovy_2.4.8-1.dsc
9a91e716cdc13bb44cb1ae858f1a37ce2f92bad7 2985236 groovy_2.4.8.orig.tar.xz
40c60f840d99062122caa13328c021cc1c4f4783 24256 groovy_2.4.8-1.debian.tar.xz
d7f332dd5c5171c2152675364c1c6cb0e554d5be 3170454 groovy-doc_2.4.8-1_all.deb
5240ff0a8da814784f79baffba85db8d54601e40 12162 groovy2_2.4.8-1_all.deb
4fe5d1a53da0f51ab30ee0a3483da9d694dda0fb 14659052 groovy_2.4.8-1_all.deb
20ee6b8bd9a6cd8a49379ca1c29f09ca1dc47bb8 14001 groovy_2.4.8-1_amd64.buildinfo
Checksums-Sha256:
d910b8426db25acad45177d8ebc95b2d1a522bd5d5ded5da71ff2cb1dae552f8 2390 groovy_2.4.8-1.dsc
ed9cda4eedfe3eb49c8fdb0ec8e38e0517c2565f4046f2897e0108465c4b8fa1 2985236 groovy_2.4.8.orig.tar.xz
f99906d539eb3de0d21398485bb26c825819155b8d19773bf3872cbb8b0cdab1 24256 groovy_2.4.8-1.debian.tar.xz
7399711203eb4956be49f5fa64e942fac3e166c8ea7cc6583f8b822013bc6dac 3170454 groovy-doc_2.4.8-1_all.deb
faf67185172ed225b3f7865d188dd869ebc47c1cca4cd673713b663d2e0a103c 12162 groovy2_2.4.8-1_all.deb
af3235cdc64741ffd17d51baf331c92d90b4b732c15d4e582ecdb15c349ab38f 14659052 groovy_2.4.8-1_all.deb
e7057bbb1b2517586e2c9ef9d9eff4bc24777ec9e34bf9f063f5f6a9813e5372 14001 groovy_2.4.8-1_amd64.buildinfo
Files:
7d9417f636be7bfcb431b1cd454aa2e1 2390 java optional groovy_2.4.8-1.dsc
4120d63a3c5f0ab2f3e8f37bb1130f21 2985236 java optional groovy_2.4.8.orig.tar.xz
c81a078dcf1cc0a746ea9a2b40a49562 24256 java optional groovy_2.4.8-1.debian.tar.xz
8db36f71c64abd90ebb410e285fc21ba 3170454 doc optional groovy-doc_2.4.8-1_all.deb
91c194c9b908ff221f792f2efc2d9029 12162 oldlibs extra groovy2_2.4.8-1_all.deb
ec12f9562f63e33f52144aedaff16c17 14659052 java optional groovy_2.4.8-1_all.deb
65023e56a0adee4dc3ecaf758bafebad 14001 java optional groovy_2.4.8-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlh8EdUACgkQ9RPEGeS5
0KwSAA/+JQ8MbJK93SSpXeizBUPwhdN7rRrMtsDvnF39ABOI1VH3lHcjGyFj6i+j
3M0aeGBz4XAvdiIkULF8xiqEbJCZuF0vCtlR1kdowoV3FNxn2ixH0lSDJ9vs55QZ
USuBZHHUV5uQdYJtL6iXAB2SWGlsfPbFtypot1Fz2BsxdnPObL1vioSVIIJJ+r3B
btTF5h/GBdVG1cBgmNekruWJVXr+vXzvS7jydWkNWz2P/LvwQ3EaSZsZsyTnPG/s
5hJxVIMqXQ0h4khHiUgGSnYAsWc84+7pSsB9jGgAXc/0Ey0Abt6PRDBAcOrQlqbt
KUy47Nf5sya81k/bvt9niF7BDHx/Gq6NVne1mKQzm/vfWh+tfc4/GeZbl+TalYGR
KaSupvWPDurjUraUH4Iil6pWJyxVqZTkVZHQPb1pFNzYjUKdbBmVAQp90DXtnl2o
DyCNftPmHA072dQ5utI9J0lH44uBrKdV2gWCr5jOEXixnF/t6ZOY1XgC0jW1iqnm
547zch099tSUzRsDcMzZ68RYlO3RP2eQeQ5LfbznP1coh8TvNf2z782RdRMMP+wt
z7eelCR9QX02qUwHIhVEWE31hySMSTxi8OBaAwv0mag+7sXf73f59DG0J9sf/DW/
FacrmX5gWBeKMpfSasqqrZAcg36ezU9PtdkFM0HMc7ZZTE8ADTg=
=n7f1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:28:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:28:30 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon