[SECURITY] [DLA 4229-1] commons-beanutils security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4229-1] commons-beanutils security update
From: Abhijith PA <abhijith@debian.org>
Date: Wed, 25 Jun 2025 14:19:17 +0530
Message-id: <[🔎] aFu4DS8WgE8xnfXU@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4229-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
June 25, 2025                                 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : commons-beanutils
Version        : 1.9.4-1+deb11u1
CVE ID         : CVE-2025-48734


commons-beanutils, utility for manipulating Java beans have an
improper Access Control vulnerability. A special BeanIntrospector
class was added in version 1.9.2. This can be used to stop attackers
from using the declared class property of Java enum objects to get
access to the classloader. However this protection was not enabled by
default. PropertyUtilsBean (and consequently BeanUtilsBean) now
disallows declared class level property access by default.


For Debian 11 bullseye, this problem has been fixed in version
1.9.4-1+deb11u1.

We recommend that you upgrade your commons-beanutils packages.

For the detailed security status of commons-beanutils please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/commons-beanutils

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAmhbuA0ACgkQhj1N8u2c
KO+xsw/9FflK9vWsMcRyPvUOSrdp/EBVPOpPD9wdCjB/xDGBHiaQEOCQ/zBLqSBc
PG2OzeznrajM4of3mBXcqswRdoQjyzg+5+tyBhFAocbNfN1wyxI/gC4oIqVtHzFr
2BwPzveZOgiwakeh/cNQ9NSdDtx76wwjoQM9QxvJEoqj7O/wRTOjXqn/aiZZi+xf
NSAhsczLYaJRADRH9f8JkKVpbBFak3TLy4gzwyGP2Wjs0dEaNwWvFW+p8OHPuUY/
gaswwBTXHxYyb+7tveymbvfQpi3u9kKQ8Nd439GVNZH/Jl039FIuT9lHhpc4U2FU
kTRnA3ldiVt/wpDEiri4XhwxqTg0JPIjiV5eTR++NiS4w7c27PRn46E3Qwaj44d9
sNN5zMByW+RuRlu5Moaupgpehv9ZNUroj/3d6H9ODvSjDv1jdy6AIaEHtJag5MBq
0pL+wr3URKihn+aONkpV4yZfi+kkssMo5sTUVvlrQAHf71MTJnQoNCDU5YMpVrh8
zealdOQfrjY34ycmMgLTPhwD2iSyCqjOFzTpltat/24w5vA7BoSbaHomDVu7KAHS
VzlpWO+5XWFebdx7juCLGnqUlgDvwBpOj6y5rs1OXHByvzjZ9+VLmajyzFp52ni/
r4pv8eUReGwvYzb0Szauzx3SkYxIubfy0gdwy2gg+YkHtXQXJ7s=
=qLyd
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4228-1] nginx security update
Next by Date: [SECURITY] [DLA 4230-1] xorg-server security update
Previous by thread: [SECURITY] [DLA 4228-1] nginx security update
Next by thread: [SECURITY] [DLA 4230-1] xorg-server security update
Index(es):
- Date
- Thread