Your message dated Sun, 20 Jul 2025 12:34:02 +0000
with message-id <[email protected]>
and subject line Bug#1106746: fixed in commons-beanutils 1.10.1-1.1
has caused the Debian Bug report #1106746,
regarding commons-beanutils: CVE-2025-48734
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1106746: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106746
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: commons-beanutils
Version: 1.10.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for commons-beanutils.
CVE-2025-48734[0]:
| Improper Access Control vulnerability in Apache Commons. A
| special BeanIntrospector class was added in version 1.9.2. This can
| be used to stop attackers from using the declared class property of
| Java enum objects to get access to the classloader. However this
| protection was not enabled by default. PropertyUtilsBean (and
| consequently BeanUtilsBean) now disallows declared class level
| property access by default. Releases 1.11.0 and 2.0.0-M2
| address a potential security issue when accessing enum properties in
| an uncontrolled way. If an application using Commons BeanUtils
| passes property paths from an external source directly to the
| getProperty() method of PropertyUtilsBean, an attacker can access
| the enum’s class loader via the “declaredClass” property available
| on all Java “enum” objects. Accessing the enum’s “declaredClass”
| allows remote attackers to access the ClassLoader and execute
| arbitrary code. The same issue exists with
| PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0
| and 2.0.0-M2 a special BeanIntrospector suppresses the
| “declaredClass” property. Note that this new BeanIntrospector is
| enabled by default, but you can disable it to regain the old
| behavior; see section 2.5 of the user's guide and the unit tests.
| This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and
| 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-
| beanutils 1.x are recommended to upgrade to version 1.11.0, which
| fixes the issue. Users of the artifact org.apache.commons:commons-
| beanutils2 2.x are recommended to upgrade to version 2.0.0-M2,
| which fixes the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-48734
https://www.cve.org/CVERecord?id=CVE-2025-48734
[1] https://www.openwall.com/lists/oss-security/2025/05/28/6
[2] https://dlcdn.apache.org/commons/beanutils/RELEASE-NOTES.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: commons-beanutils
Source-Version: 1.10.1-1.1
Done: Adrian Bunk <[email protected]>
We believe that the bug you reported is fixed in the latest version of
commons-beanutils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <[email protected]> (supplier of updated commons-beanutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 17 Jul 2025 16:01:37 +0300
Source: commons-beanutils
Architecture: source
Version: 1.10.1-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Adrian Bunk <[email protected]>
Closes: 1106746
Changes:
commons-beanutils (1.10.1-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-48734: Improper access control (Closes: #1106746)
Checksums-Sha1:
845141308e08e84b6185687e8167d839b09dde03 2317 commons-beanutils_1.10.1-1.1.dsc
8f4ed8b96e9fda0245821b79458333d25ce6b734 6604
commons-beanutils_1.10.1-1.1.debian.tar.xz
Checksums-Sha256:
cc17bae208c3d9afb9fc0e0462e9a6519c2fcd65c6b952fb33b009b34b1c3ec5 2317
commons-beanutils_1.10.1-1.1.dsc
e8cee3e829e61f19a0b389efea35db1866f3a912553b3351632cd522c1cb2e07 6604
commons-beanutils_1.10.1-1.1.debian.tar.xz
Files:
3089bec5d615a000d9d24cb4467234c9 2317 java optional
commons-beanutils_1.10.1-1.1.dsc
9d66bc5aa90bb15c37922090e85e692d 6604 java optional
commons-beanutils_1.10.1-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmh6OU4ACgkQiNJCh6LY
mLGkVxAArgcDMMbvtsQwnK4NAWdy2JUCo+kxolPhtSoM7KcybM0DtASsHncSScPN
kOCDV/2+UQUMXvn9RjklfN/H64vbc7kOzCQ8uIoWIZYqlWrIWWjhj5Tl/h3TMJbm
+RW8KKXzmVHEJafaW1MSHoQGZJn+V9HmZAYQtfqSpvDugJUzLhZV1JP6+cylE9DH
Xfitbqrbf2zPQqG1DbtGBdabb4r3mI2t39ZhUVA+Zfx5IUD7/rsu/9rUybt4zgkT
E63j8yL21DDIduqAjG2ggikM3zgYpB1Lk0ANL9wUWSTf6WM9ykYIcGE4cDIoMrLn
8BgObTwYcMeRkjWCjnA3bvyAQOdgBphzZkBfssEYrrqMbZrYENy+oQ2PvSaND2sn
KTDrHHHem+HU3wFduKDfw3wh6s0iDi99g6AlEDp9GlKmTFu7zAFVot1WzAJtU+V6
3ZC+MV3NcQi/5RUA7ktWAAuzyZ3WelgLrP/hQP6lILGLdRbFhNsWKf/kxpFayu6s
sjXBuiaha4KF4tvfh8QqBP+bX8MtwoDUJfzWM0RWwRI5xmczd4eql9LC+NwSFwJD
FCOTbk9ToLk7rmioCnoShL/+TuN67epw1xFMtsrX56h7jpnFSd8e0xbdaLmDieQw
AIxJBFox53sV3HQYc72Sc8bxHnEQGyf4CD5SPah5SQAIFODRxTM=
=Fxk+
-----END PGP SIGNATURE-----
pgpWpjM1QzEHv.pgp
Description: PGP signature
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
