Your message dated Sat, 21 May 2016 13:17:08 +0000 with message-id <e1b46mc-0005em...@franck.debian.org> and subject line Bug#793397: fixed in groovy 1.8.6-4+deb8u1 has caused the Debian Bug report #793397, regarding Remote execution of untrusted code, DoS (CVE-2015-3253) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 793397: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793397 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: groovy Version: 1.8.6-1 Severity: grave Tags: security upstream cpnrodzc7, working with HP's Zero Day Initiative, discovered that Java applications using standard Java serialization mechanisms to decode untrusted data, and that have Groovy on their classpath, can be passed a serialized object that will cause the application to execute arbitrary code. This is issue has been marked as fixed in Groovy 2.4.4 and a standalone security patch has been made available. CVE-2015-3253 has been assigned to this issue. Please mention it in the changelog when fixing the issue. References: * Bulletin http://seclists.org/bugtraq/2015/Jul/78 * Security update http://groovy-lang.org/security.html * Fixing commit (on 2.4.x branch) https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d -- System Information: Debian Release: 8.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: groovy Source-Version: 1.8.6-4+deb8u1 We believe that the bug you reported is fixed in the latest version of groovy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 793...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Miguel Landaeta <nomad...@debian.org> (supplier of updated groovy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 25 Jul 2015 18:27:24 -0300 Source: groovy Binary: groovy groovy-doc Architecture: source all Version: 1.8.6-4+deb8u1 Distribution: stable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Miguel Landaeta <nomad...@debian.org> Description: groovy - Agile dynamic language for the Java Virtual Machine groovy-doc - Agile dynamic language for the Java Virtual Machine (documentatio Closes: 793397 Changes: groovy (1.8.6-4+deb8u1) stable; urgency=high . * Fix remote execution of untrusted code and possible DoS vulnerability. (CVE-2015-3253) (Closes: #793397). Checksums-Sha1: 17aa76b38c8340515c2e53c3fe8878abdb09c4ba 2469 groovy_1.8.6-4+deb8u1.dsc 38514ca88cb214e50b252720c737233f67507968 2794777 groovy_1.8.6.orig.tar.gz d287dfd51583ac9247bf73bdf35d889945ace350 14868 groovy_1.8.6-4+deb8u1.debian.tar.xz cf5c3c741a7fecea8fcb432a86477acd03988876 9745930 groovy_1.8.6-4+deb8u1_all.deb b916ed589a85fbd3e9f42c7b664db50db7bd6eaf 2445554 groovy-doc_1.8.6-4+deb8u1_all.deb Checksums-Sha256: 9612b4469861fde177ecb372f7bfbba5b7b5ab2c228b351b07bff1887fcaacb9 2469 groovy_1.8.6-4+deb8u1.dsc 15bffe8a0432c7f316511d7259837f5fe4d4126acbc5ba8eaa2c39409e98646f 2794777 groovy_1.8.6.orig.tar.gz abe80980b789b2250ebd85f644f64ecc746f3dc483f3b5345d14ab1ce5f9e3cd 14868 groovy_1.8.6-4+deb8u1.debian.tar.xz 12b2ac0f225e790345cc22956e40dea192fc9ca6653acd8c2d148ccae5d7edfe 9745930 groovy_1.8.6-4+deb8u1_all.deb e5d24345e5e5b65ead134dd435032e67635a530a01826599f980e83bca6270b4 2445554 groovy-doc_1.8.6-4+deb8u1_all.deb Files: 2b55b29d18980524b6b4e14127abb7b3 2469 java optional groovy_1.8.6-4+deb8u1.dsc eaf00260343f91da32a2aea900f7aa24 2794777 java optional groovy_1.8.6.orig.tar.gz a6c8408723c5a41b4d54bdeda2d75dbf 14868 java optional groovy_1.8.6-4+deb8u1.debian.tar.xz 017c1d98d6d19ebfbc87ecb17e0f6f17 9745930 java optional groovy_1.8.6-4+deb8u1_all.deb 571ea2debedd3887ceb1a6a1d04f4653 2445554 doc optional groovy-doc_1.8.6-4+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJV0kjHAAoJEGIODQuJV82llOcP/j4GSQsGqer7GpqlvgVHPp8q r3B20jMXTVVK7Fsgz23gUf/HMtTVRcrE7EuZnxiVbFc13TmTseSedty3Eujwo/5h OpPL3Ck7oJh+FROIck6rY1r1OUS2o4pukYbm9zTGp8vUf+8HXSxxiEEZKcst18UX oz8XWA/lLAeMKw/s9HO6PO9SiPmijsTpeq9XIimTO29U3PRUQ6XqrS3hjRZPFtGn 0fiSqAgycx053kD6JeE8ffrYgWWSrPpDvlSK2Wu59G2PEJrxu62qB4rt4lsR2uqW jkvYQQjeqWiFSyneWYSw/1MmHUsrAA9udZxKInomLrb0SGT4ZVIzwWfLPHMpJfU/ EE1s9y3xiyIQVhxzsNnd5JN11Mm0TowzzsdmUqn93OyJEEMhOLc6PvjnLLpyIrdq Yy6s/W8GrnPgNLOdTiKY1ktZ5HEQobuLwlPcNe0KqhV5RMHQGKLdHWRB+Xk6OfAp uHyDUvC3XrjNn3GHXekPTBUwFJD+OOVyepkFWqA+Lr2zUz4uXh9dSDtdwdoSHmK3 yusEpSzNwNBEwNA3rKQoqCX4qAlFUfh/S8HeeVDgCMlRiPMvQpjTm6hjQ/sEhrjC i/zPaot778BNaJYyzoMI7bf2pspXIpEe9n4Ubf0dvrf8E8JtP2s5R4xVSpHtYwgy 11T/aIgwq5GiuFpv8ln1 =yV14 -----END PGP SIGNATURE-----
--- End Message ---
