Your message dated Wed, 19 Aug 2015 18:17:06 +0000 with message-id <e1zs7v8-0006b4...@franck.debian.org> and subject line Bug#793398: fixed in groovy2 2.2.2+dfsg-3+deb8u1 has caused the Debian Bug report #793398, regarding Remote execution of untrusted code, DoS (CVE-2015-3253) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 793398: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793398 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: groovy2 Version: 2.2.2+dfsg-3 Severity: grave Tags: security upstream cpnrodzc7, working with HP's Zero Day Initiative, discovered that Java applications using standard Java serialization mechanisms to decode untrusted data, and that have Groovy on their classpath, can be passed a serialized object that will cause the application to execute arbitrary code. This is issue has been marked as fixed in Groovy 2.4.4 and a standalone security patch has been made available. CVE-2015-3253 has been assigned to this issue. Please mention it in the changelog when fixing the issue. References: * Bulletin http://seclists.org/bugtraq/2015/Jul/78 * Security update http://groovy-lang.org/security.html * Fixing commit https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d Cheers, Luca -- System Information: Debian Release: 8.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: groovy2 Source-Version: 2.2.2+dfsg-3+deb8u1 We believe that the bug you reported is fixed in the latest version of groovy2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 793...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Miguel Landaeta <nomad...@debian.org> (supplier of updated groovy2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 25 Jul 2015 15:46:24 -0300 Source: groovy2 Binary: groovy2 groovy2-doc Architecture: source all Version: 2.2.2+dfsg-3+deb8u1 Distribution: stable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Miguel Landaeta <nomad...@debian.org> Description: groovy2 - Agile dynamic language for the Java Virtual Machine groovy2-doc - Agile dynamic language for the Java Virtual Machine (documentatio Closes: 793398 Changes: groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high . * Fix remote execution of untrusted code and possible DoS vulnerability. (CVE-2015-3253) (Closes: #793398). Checksums-Sha1: ad8ea7c47389f27192f6d4b5529d13e136f37c3f 2346 groovy2_2.2.2+dfsg-3+deb8u1.dsc 530f6a099fc2cd7256fddb3a86ae6377b226d44e 2675205 groovy2_2.2.2+dfsg.orig.tar.gz 0949bfc0a92d3eed74e0f09a74456aaa06760390 21672 groovy2_2.2.2+dfsg-3+deb8u1.debian.tar.xz 40097dcb94aa3e408d781d339817b08a89dac214 18123242 groovy2_2.2.2+dfsg-3+deb8u1_all.deb e63961125ede7e7d26935347537f3b23fba68b97 2639026 groovy2-doc_2.2.2+dfsg-3+deb8u1_all.deb Checksums-Sha256: 6f08a3d4ed67f2f6654e0ab5c4b9401b9e95319fdc971ee85269692149dbd9f6 2346 groovy2_2.2.2+dfsg-3+deb8u1.dsc 4462f185fa5f839952a4d82e74d8f638868409abfa593b570556f4ea882769b1 2675205 groovy2_2.2.2+dfsg.orig.tar.gz 972bf5a76dfa35c7eaf54ea74ab1df5c88ecfd7c127e841b263019325ea0989d 21672 groovy2_2.2.2+dfsg-3+deb8u1.debian.tar.xz d2acf68e2c76d6ee5afb17a9efc080d4e5d22e7ebc0fbb67f20fe9fcda1209ff 18123242 groovy2_2.2.2+dfsg-3+deb8u1_all.deb 778cab433da7ec98b60c8511614bd26e76c6d3174d1a149e170d5577f1b6b02b 2639026 groovy2-doc_2.2.2+dfsg-3+deb8u1_all.deb Files: afaf13f2cf8969dc431b55cefbaf2109 2346 java optional groovy2_2.2.2+dfsg-3+deb8u1.dsc 31d5eb3c92d1ba108578f59900ff019e 2675205 java optional groovy2_2.2.2+dfsg.orig.tar.gz 9c7cf938d1afc0a0288b1d760fbb43cc 21672 java optional groovy2_2.2.2+dfsg-3+deb8u1.debian.tar.xz ea9a574d15b143468eeef11323f4eddb 18123242 java optional groovy2_2.2.2+dfsg-3+deb8u1_all.deb a99e67e8670a2e8fc415952e6b05dbc6 2639026 doc optional groovy2-doc_2.2.2+dfsg-3+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJV0kpAAAoJEGIODQuJV82l2cAQAJuGZRE7LkDpg4P6AFml2EBU hdGVFZnXqfNSVoc46BO8106S0VRijCoQBQhvdxsQ8cYrh+ZJ/Ul2w36PRLCxqe6f E86dwvIdWqbYvQFbIeY8mm4InJRDZpn7XyhLZsqB/LycVsBIIvMr0DnvvPj3E9If 4BJ2Q6G8+plELTQVeVTo5whsm9aBMCbm5npMNCWEZ++9IsxDHn1B7K7d6mcKZ9m+ 02FIPrQodJaqDliIc7KeWvonHMCVdHyDsRaPmdkbYzF+WXZLjRcAKryVzryrRtEv IiAivclq5ih3oRgkV5c9i+r6gLsdah0r6jBUuKXiyAHNHKyjbVyCK+yoiGkXEhZs Vuzn3PPEHuBYLplc6uYWuXfZgr077HkN8hNRPJdNnysJ3ut0o8e1dTiArFnaYgrY l8OqL7BR/EtG8UNSVzkCeAPYjYHEIcsa7yRvua4mtllf0q2ZTHvFEBO1LI/jmzRw KCUNagI20ucF5lZ3+oWDI0ir4oU+SFg1uju2231RAuj5hA8ELwRgWPqYygiJvEPp C45kKyJCQlTrXao7rFTJrAN022MFfw4fZYEoBl1R5Umbh1gsJKY8P2Mruwihavjw Rz0T9XrvsGEtWbbfUuJQcClC+vAW3zKrjlyUSafRbiSxxYX4xhUXOH+JqdP78xRt ddd4Hvn3J+a6/MZZoS/C =ttYb -----END PGP SIGNATURE-----
--- End Message ---
