*** This bug is a security vulnerability ***
Public security bug reported:
This aims to fix two CVEs:
- CVE-2013-2027: Creates executables class files with wrong permissions
- CVE-2016-4000: Unsafe deserialization leads to code execution
While CVE-2013-2027 is not shown as fixed in Debian and Red Hat, it is
fixed in OpenSUSE (openSUSE-SU-2015:0269-1), we can backport their
patches.
CVE-2016-4000 was fixed in Debian in 2.5.3-17, and that's in Artful, but
we still need fixes for Trusty, Xenial, and Zesty.
** Affects: jython (Ubuntu)
Importance: Medium
Assignee: Simon Quigley (tsimonq2)
Status: In Progress
** Affects: jython (Ubuntu Trusty)
Importance: High
Assignee: Simon Quigley (tsimonq2)
Status: In Progress
** Affects: jython (Ubuntu Xenial)
Importance: High
Assignee: Simon Quigley (tsimonq2)
Status: In Progress
** Affects: jython (Ubuntu Zesty)
Importance: High
Assignee: Simon Quigley (tsimonq2)
Status: In Progress
** Affects: jython (Ubuntu Artful)
Importance: Medium
Assignee: Simon Quigley (tsimonq2)
Status: In Progress
** Tags: artful trusty xenial zesty
** Also affects: jython (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: jython (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: jython (Ubuntu Artful)
Importance: Undecided
Status: New
** Also affects: jython (Ubuntu Zesty)
Importance: Undecided
Status: New
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4000
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1714728
Title:
[CVEs] Creates executables class files with wrong permissions, Unsafe
deserialization leads to code execution
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jython/+bug/1714728/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs