Package: libhibernate-validator-java Severity: serious Tags: security Hi, the following vulnerability was published for libhibernate-validator-java.
CVE-2014-3558[0]: It was discovered that the implementation of org.hibernate.validator.util.ReflectionHelper together with the permissions required to run Hibernate Validator under the Java Security Manager could allow a malicious application deployed in the same application container to execute several actions with escalated privileges, which might otherwise not be possible. This flaw could be used to perform various attacks, including but not restricted to, arbitrary code execution in systems that are otherwise secured by the Java Security Manager. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3558 https://security-tracker.debian.org/tracker/CVE-2014-3558 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3558 Please adjust the affected versions in the BTS as needed. The upstream fixes seem very involved and they have been pushed only on newer versions of the package: 4.2.1, 4.3.2, and 5.1.2 respectively. See https://hibernate.atlassian.net/browse/HV-912 Please switch to a new upstream version ASAP in unstable and help the security team and the LTS team to provide patched versions in stable/oldstable. Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/ __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
