Security issue in groovy<2.5.0

To: debian-java@lists.debian.org
Cc: Emmanuel Bourg <ebourg@apache.org>
Subject: Security issue in groovy<2.5.0
From: Felix Natter <fnatter@gmx.net>
Date: Thu, 17 Aug 2017 20:18:53 +0200
Message-id: <[🔎] 87valmm50y.fsf@bitburger.home.felix>

hello debian-java,

freeplane 1.5/1.6 added a library [1] which uses byte-buddy to fix a
security problem in groovy < 2.5.0 [2]. The fix will be included in
groovy 2.5, which should be released soon (currently at 2.5.0-beta-2).

So the question is: Can I package freeplane without the 'securegroovy'
library, expecting that groovy 2.5 will be released soon, and will
shortly after be packaged for Debian?

[1] https://github.com/dpolivaev/securegroovy/

[2] https://issues.apache.org/jira/browse/GROOVY-8163
(freeplane maps include groovy scripts which can escape the sandbox)

Thanks and Best Regards,
-- 
Felix Natter

Reply to:

Follow-Ups:
- Re: Security issue in groovy<2.5.0
  - From: Emmanuel Bourg <ebourg@apache.org>

Prev by Date: Re: freeplane deb - was: freeplane SNAP / gradle-debian-helper: option for turning off --offline
Next by Date: freeplane auto removal
Previous by thread: Re: 'debian' version for libclojure-java?
Next by thread: Re: Security issue in groovy<2.5.0
Index(es):
- Date
- Thread