Remote execution of untrusted code, DoS (CVE-2015-3253)

Debian Bug report logs - #793397
Remote execution of untrusted code, DoS (CVE-2015-3253)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luca Bruno <lucab@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Remote execution of untrusted code, DoS (CVE-2015-3253)

Date: Thu, 23 Jul 2015 17:57:54 +0200

Package: groovy
Version: 1.8.6-1
Severity: grave
Tags: security upstream

cpnrodzc7, working with HP's Zero Day Initiative, discovered that
Java applications using standard Java serialization mechanisms to
decode untrusted data, and that have Groovy on their classpath, can
be passed a serialized object that will cause the application to
execute arbitrary code.

This is issue has been marked as fixed in Groovy 2.4.4 and a standalone
security patch has been made available.

CVE-2015-3253 has been assigned to this issue. 
Please mention it in the changelog when fixing the issue.

References:
 * Bulletin
   http://seclists.org/bugtraq/2015/Jul/78
 * Security update
   http://groovy-lang.org/security.html
 * Fixing commit (on 2.4.x branch)
   https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d


-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Message #10 received at 793397@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <nomadium@debian.org>

To: 793397@bugs.debian.org, 793398@bugs.debian.org

Subject: Re: groovy: Remote execution of untrusted code, DoS (CVE-2015-3253)

Date: Sat, 25 Jul 2015 14:45:36 -0300

[Message part 1 (text/plain, inline)]

owner 793397 !
tags 793397 + confirmed
owner 793398 !
tags 793398 + confirmed
thanks

Thanks for the report, I'll take care of this bug.

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 793397-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 793397-close@bugs.debian.org

Subject: Bug#793397: fixed in groovy 2.4.6-1

Date: Mon, 02 May 2016 22:42:09 +0000

Source: groovy
Source-Version: 2.4.6-1

We believe that the bug you reported is fixed in the latest version of
groovy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 793397@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated groovy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 02 May 2016 22:14:13 +0200
Source: groovy
Binary: groovy groovy-doc
Architecture: source all
Version: 2.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 groovy     - Agile dynamic language for the Java Virtual Machine
 groovy-doc - Agile dynamic language for the Java Virtual Machine (documentatio
Closes: 793397 793630 800859
Changes:
 groovy (2.4.6-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release
     - Closes: #793397, #793630, #800859
     - Refreshed the patches
     - Updated the poms
   * Reverted to groovy as the package name
   * Depend on libasm-java (>= 5.0) instead of libasm4-java
   * Removed the build dependency on libcobertura-java
   * Standards-Version updated to 3.9.8 (no changes)
   * Use secure Vcs-* URLs
   * Updated debian/watch to track the latest releases
   * Removed the unused debian/orig-tar.sh script
Checksums-Sha1:
 5872c64000e045fc81082d33b1964f1fbad28e3e 2307 groovy_2.4.6-1.dsc
 7d7e25c4b024bd478e14454301bda03f14f150fa 2975660 groovy_2.4.6.orig.tar.xz
 92ad9e2c2c6f3da770130230d2bd980412569e98 23228 groovy_2.4.6-1.debian.tar.xz
 66b1f95ff9bb00573cd5210934cdc31265110628 3206478 groovy-doc_2.4.6-1_all.deb
 023e351e87582f49036eb199bcbb326c5695ea2d 11787994 groovy_2.4.6-1_all.deb
Checksums-Sha256:
 e8d83a0d8fd94cb5f7f226929b84a8a943426abc4298112fcdc0ce0f325ee360 2307 groovy_2.4.6-1.dsc
 2d9ad2f0ededcc486ace193fb0768690423e389b89559772596a4ca16b6264e0 2975660 groovy_2.4.6.orig.tar.xz
 760a0df409b43ad009d4508f646bb1dc7a69c637d0b07f969b8486e80b2737e8 23228 groovy_2.4.6-1.debian.tar.xz
 64a1675d3e2f27a3bac9c8f7063e560f7b99da67ad6da2c4e02ced2cdbf25610 3206478 groovy-doc_2.4.6-1_all.deb
 fa72ebe1937562fd80bd68f062a59f100cce349719f5f827eebc7eedd444ebd3 11787994 groovy_2.4.6-1_all.deb
Files:
 2e546c8432c27e98a984a0cb2a1ab997 2307 java optional groovy_2.4.6-1.dsc
 3624580b04cfc8f5a7a14aa517e55dd9 2975660 java optional groovy_2.4.6.orig.tar.xz
 8d4dced4912751252d078452dcc1efb4 23228 java optional groovy_2.4.6-1.debian.tar.xz
 72c521633f15fbbec929b6fd0aee88d9 3206478 doc optional groovy-doc_2.4.6-1_all.deb
 aa81cb5269a9f0b79eb059b649cc6b69 11787994 java optional groovy_2.4.6-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXJ7gcAAoJEPUTxBnkudCsM/YP/iR9XBG51B8diO8NQ0d4sgy3
WppZ/1VdaeBBAz5V9TvFm3zMz0PlbpWlazGve2I+rE1Xr5pPCv7vNaWB6G7bUNs2
egaRM99x+NRpBXkXJZlK8DZOAtkJ96Ht0g26KwYk+gTW5QW/X9o+L3vHOW6JY3+N
yvVruvlwu1hnpTQh8a6NQh0LWbKqXzn5WKitahkH5itWcP+LE47olTG/85wk1njI
E+9zjJkINfRiH93ZAacQQPTgdSCYBdAT7lZGGgF1Fwua4qS/o5eJ5CP1tZMaHF+9
08s8J7kFSn0XIwOATqhx+eACIL4s69P7vLmVzvfVJB/VDa9bzkc7QeVS5ULQOfar
qhSmEKGNsS/txumivttx9tzVtXSkcCKw+b/ry2Qkw+8ewJ1OXHcXL0XUg7RbUrin
HP4pJdRq+xBXdDUtzGqPqpO/TUS8npLaScXia4RCwsOPsqEMRnB2N/lSGYSMxSVi
hu7eadun7bs94JT+UNpqPa1/A/iVYMktaa+scMnd9J/n+Wgpb2SMOWi9X8qasCMJ
VkXb6+M9q2SE47zL4jLY/JtzUz0FyLWk48cB7Ghl7i4YX+S0edpCAQvPvmbk0l2/
WlEViPFM4mzxq560chzEXYSt/dRvozS2a26MkWIWqmEnmrvl6noocp49XI5Sgerd
hcWhLbCELvBI0rhDxlxP
=VXBv
-----END PGP SIGNATURE-----

Message #24 received at 793397-close@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <nomadium@debian.org>

To: 793397-close@bugs.debian.org

Subject: Bug#793397: fixed in groovy 1.8.6-4+deb8u1

Date: Sat, 21 May 2016 13:17:08 +0000

Source: groovy
Source-Version: 1.8.6-4+deb8u1

We believe that the bug you reported is fixed in the latest version of
groovy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 793397@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miguel Landaeta <nomadium@debian.org> (supplier of updated groovy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Jul 2015 18:27:24 -0300
Source: groovy
Binary: groovy groovy-doc
Architecture: source all
Version: 1.8.6-4+deb8u1
Distribution: stable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <nomadium@debian.org>
Description:
 groovy     - Agile dynamic language for the Java Virtual Machine
 groovy-doc - Agile dynamic language for the Java Virtual Machine (documentatio
Closes: 793397
Changes:
 groovy (1.8.6-4+deb8u1) stable; urgency=high
 .
   * Fix remote execution of untrusted code and possible DoS vulnerability.
     (CVE-2015-3253) (Closes: #793397).
Checksums-Sha1:
 17aa76b38c8340515c2e53c3fe8878abdb09c4ba 2469 groovy_1.8.6-4+deb8u1.dsc
 38514ca88cb214e50b252720c737233f67507968 2794777 groovy_1.8.6.orig.tar.gz
 d287dfd51583ac9247bf73bdf35d889945ace350 14868 groovy_1.8.6-4+deb8u1.debian.tar.xz
 cf5c3c741a7fecea8fcb432a86477acd03988876 9745930 groovy_1.8.6-4+deb8u1_all.deb
 b916ed589a85fbd3e9f42c7b664db50db7bd6eaf 2445554 groovy-doc_1.8.6-4+deb8u1_all.deb
Checksums-Sha256:
 9612b4469861fde177ecb372f7bfbba5b7b5ab2c228b351b07bff1887fcaacb9 2469 groovy_1.8.6-4+deb8u1.dsc
 15bffe8a0432c7f316511d7259837f5fe4d4126acbc5ba8eaa2c39409e98646f 2794777 groovy_1.8.6.orig.tar.gz
 abe80980b789b2250ebd85f644f64ecc746f3dc483f3b5345d14ab1ce5f9e3cd 14868 groovy_1.8.6-4+deb8u1.debian.tar.xz
 12b2ac0f225e790345cc22956e40dea192fc9ca6653acd8c2d148ccae5d7edfe 9745930 groovy_1.8.6-4+deb8u1_all.deb
 e5d24345e5e5b65ead134dd435032e67635a530a01826599f980e83bca6270b4 2445554 groovy-doc_1.8.6-4+deb8u1_all.deb
Files:
 2b55b29d18980524b6b4e14127abb7b3 2469 java optional groovy_1.8.6-4+deb8u1.dsc
 eaf00260343f91da32a2aea900f7aa24 2794777 java optional groovy_1.8.6.orig.tar.gz
 a6c8408723c5a41b4d54bdeda2d75dbf 14868 java optional groovy_1.8.6-4+deb8u1.debian.tar.xz
 017c1d98d6d19ebfbc87ecb17e0f6f17 9745930 java optional groovy_1.8.6-4+deb8u1_all.deb
 571ea2debedd3887ceb1a6a1d04f4653 2445554 doc optional groovy-doc_1.8.6-4+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV0kjHAAoJEGIODQuJV82llOcP/j4GSQsGqer7GpqlvgVHPp8q
r3B20jMXTVVK7Fsgz23gUf/HMtTVRcrE7EuZnxiVbFc13TmTseSedty3Eujwo/5h
OpPL3Ck7oJh+FROIck6rY1r1OUS2o4pukYbm9zTGp8vUf+8HXSxxiEEZKcst18UX
oz8XWA/lLAeMKw/s9HO6PO9SiPmijsTpeq9XIimTO29U3PRUQ6XqrS3hjRZPFtGn
0fiSqAgycx053kD6JeE8ffrYgWWSrPpDvlSK2Wu59G2PEJrxu62qB4rt4lsR2uqW
jkvYQQjeqWiFSyneWYSw/1MmHUsrAA9udZxKInomLrb0SGT4ZVIzwWfLPHMpJfU/
EE1s9y3xiyIQVhxzsNnd5JN11Mm0TowzzsdmUqn93OyJEEMhOLc6PvjnLLpyIrdq
Yy6s/W8GrnPgNLOdTiKY1ktZ5HEQobuLwlPcNe0KqhV5RMHQGKLdHWRB+Xk6OfAp
uHyDUvC3XrjNn3GHXekPTBUwFJD+OOVyepkFWqA+Lr2zUz4uXh9dSDtdwdoSHmK3
yusEpSzNwNBEwNA3rKQoqCX4qAlFUfh/S8HeeVDgCMlRiPMvQpjTm6hjQ/sEhrjC
i/zPaot778BNaJYyzoMI7bf2pspXIpEe9n4Ubf0dvrf8E8JtP2s5R4xVSpHtYwgy
11T/aIgwq5GiuFpv8ln1
=yV14
-----END PGP SIGNATURE-----

Message #29 received at 793397-close@bugs.debian.org (full text, mbox, reply):

From: Miguel Landaeta <nomadium@debian.org>

To: 793397-close@bugs.debian.org

Subject: Bug#793397: fixed in groovy 1.8.6-1+deb7u1

Date: Sat, 21 May 2016 13:17:30 +0000

Source: groovy
Source-Version: 1.8.6-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
groovy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 793397@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miguel Landaeta <nomadium@debian.org> (supplier of updated groovy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Jul 2015 19:59:19 -0300
Source: groovy
Binary: groovy groovy-doc
Architecture: source all
Version: 1.8.6-1+deb7u1
Distribution: oldstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <nomadium@debian.org>
Description: 
 groovy     - Agile dynamic language for the Java Virtual Machine
 groovy-doc - Agile dynamic language for the Java Virtual Machine (documentatio
Closes: 793397
Changes: 
 groovy (1.8.6-1+deb7u1) oldstable; urgency=high
 .
   * Fix remote execution of untrusted code and possible DoS vulnerability.
     (CVE-2015-3253) (Closes: #793397).
Checksums-Sha1: 
 dda189e2339ea66215c51d6dac3de2ca0af9128c 2451 groovy_1.8.6-1+deb7u1.dsc
 38514ca88cb214e50b252720c737233f67507968 2794777 groovy_1.8.6.orig.tar.gz
 b7b660024eb3a776d237ebeec237763b3664d1c2 14625 groovy_1.8.6-1+deb7u1.debian.tar.gz
 6210f1cfc2d05384d934727e6c12a60adad492c5 10443016 groovy_1.8.6-1+deb7u1_all.deb
 85a313f77909ed19601fd87e12f0d146120e4698 4721506 groovy-doc_1.8.6-1+deb7u1_all.deb
Checksums-Sha256: 
 927294373f44def677f717fd5353a15b2ab68821d5c6a6c83468de0e34164750 2451 groovy_1.8.6-1+deb7u1.dsc
 15bffe8a0432c7f316511d7259837f5fe4d4126acbc5ba8eaa2c39409e98646f 2794777 groovy_1.8.6.orig.tar.gz
 d0b026d7e5f39c10791c4096f3ab466693bcd8d0057a30e23ea899fe9d096cbf 14625 groovy_1.8.6-1+deb7u1.debian.tar.gz
 a9025b350f79dd62c995cfc5a241178e920e35184ce24276ef4607cbacffbbdb 10443016 groovy_1.8.6-1+deb7u1_all.deb
 6164f5346edc8647f9c76196d8d15f511749c3cd28e1dad2cbd77105ae4b70fa 4721506 groovy-doc_1.8.6-1+deb7u1_all.deb
Files: 
 b26586221fade3eeff2f3f9fd4069b5e 2451 java optional groovy_1.8.6-1+deb7u1.dsc
 eaf00260343f91da32a2aea900f7aa24 2794777 java optional groovy_1.8.6.orig.tar.gz
 eede44ff2da6e9a6c9f5dc09c6c3a7d8 14625 java optional groovy_1.8.6-1+deb7u1.debian.tar.gz
 9ce564761befc2add82abb23a6ff59e1 10443016 java optional groovy_1.8.6-1+deb7u1_all.deb
 9fb257ff3fa7d91ecad6b6aca4a5cf78 4721506 doc optional groovy-doc_1.8.6-1+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV0kcnAAoJEGIODQuJV82lRfgP/ipZgzjVeaYJeCIYYWK1JAQE
n/JzFouZSZpYCQ5ml/00j67KPMhxr8pRoKw4KKm3+Ft5IHfE8plwpHEgS83nAxcT
FVnjdJmUcvbUEpomRsd2rg8h4qxt4W86EHgC8zKV3p0kDrpkwY1s4U8P6IQZ4hvD
EMjnZnI20OYVa7WMMzBiL/Pwe902vxkZkJvR3hSiaIeQJa1ZW9mE+XbirX2BfBQr
jWQ99Krxj+kq73qETvofKfIOajbnyeqZzF6mqEEatsY9dsRyNhGAkCTg3rcS3qS9
gZfAHh0DgqpZ49bb8MGbpnK5rQkPE2gehlhZVo3kEZfte0Cr5wix9b4UyezyhBs6
UcN/MKaAUrS0SKelPkq3LSwEtkbt+t7qO+0xjI6y4JDSFiznvHMQCKt1e7CcXVmO
el6PYJEz18UwLy4iIEZImGUIF6NfRrCn2vRH+I+fqi3bnMQ/ngx8VfP9HDvgxIbu
I07N6a+fWNksw9qD9HicSPnDow5DipVy7q4i7HppOXGFRe9If1z+bYCyclvbSUE2
rfkgMw+j1HWZdEJVqFlZ1xfE8NqE4w+mCPCZ9hmtDszD8tQG1TbZmeY92MCKUQHl
DGAJhW6uQ0eaKqHAzhRkRFebw6MHbFqvSzupffwkuwJZUvTWh8ZirKA7Hbkc03qp
3E9WfCy7z34bGRmarDrb
=qhwu
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.