Your message dated Sat, 05 Sep 2015 14:31:07 +0100 with message-id <1441459867.2151.32.camel@adam-barratt.org.uk> and subject line Closing p-u bugs for 8.2 has caused the Debian Bug report #793688, regarding jessie-pu: package groovy2/2.2.2+dfsg-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 793688: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793688 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package groovy2/2.2.2+dfsg-3
- From: Miguel Landaeta <nomadium@debian.org>
- Date: Sun, 26 Jul 2015 12:40:16 -0300
- Message-id: <20150726154016.GA1443@alice.nomadium.lan>
Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, It was reported a vulnerability on groovy2 that allow to execute arbitrary code remotely. For more information you can take a look at: https://bugs.debian.org/793398. I already uploaded a fix to unstable but given the low popcon of groovy2 I don't think it warrant a DSA so I'm proposing to fix this in stable with the next point release. I'm attaching a debdiff with the proposed changes. Thanks, -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. "Faith means not wanting to know what is true." -- Nietzschediff -Nru groovy2-2.2.2+dfsg/debian/changelog groovy2-2.2.2+dfsg/debian/changelog --- groovy2-2.2.2+dfsg/debian/changelog 2014-08-29 01:18:55.000000000 -0300 +++ groovy2-2.2.2+dfsg/debian/changelog 2015-07-25 17:20:07.000000000 -0300 @@ -1,3 +1,10 @@ +groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high + + * Fix remote execution of untrusted code and possible DoS vulnerability. + (CVE-2015-3253) (Closes: #793398). + + -- Miguel Landaeta <nomadium@debian.org> Sat, 25 Jul 2015 15:46:24 -0300 + groovy2 (2.2.2+dfsg-3) unstable; urgency=medium * Relicense patches under Apache-2.0 license to make them compatible diff -Nru groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff --- groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff 1969-12-31 21:00:00.000000000 -0300 +++ groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff 2015-07-25 17:19:23.000000000 -0300 @@ -0,0 +1,32 @@ +Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253) +Author: Cedric Champeau <cchampeau@apache.org> +Bug-Debian: https://bugs.debian.org/793398 +Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d +Forwarded: no +Last-Update: 2015-07-25 + +--- groovy2-2.4.3+dfsg.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java ++++ groovy2-2.4.3+dfsg/src/main/org/codehaus/groovy/runtime/MethodClosure.java +@@ -30,6 +30,8 @@ import java.util.List; + */ + public class MethodClosure extends Closure { + ++ public static boolean ALLOW_RESOLVE = false; ++ + private String method; + + public MethodClosure(Object owner, String method) { +@@ -60,6 +62,13 @@ public class MethodClosure extends Closure { + return InvokerHelper.invokeMethod(getOwner(), method, arguments); + } + ++ private Object readResolve() { ++ if (ALLOW_RESOLVE) { ++ return this; ++ } ++ throw new UnsupportedOperationException(); ++ } ++ + public Object getProperty(String property) { + if ("method".equals(property)) { + return getMethod(); diff -Nru groovy2-2.2.2+dfsg/debian/patches/series groovy2-2.2.2+dfsg/debian/patches/series --- groovy2-2.2.2+dfsg/debian/patches/series 2014-07-25 22:21:25.000000000 -0300 +++ groovy2-2.2.2+dfsg/debian/patches/series 2015-07-25 17:19:23.000000000 -0300 @@ -1,3 +1,4 @@ 01_fix_gradle_build.diff 02_fix_start_script.diff 03_add_maven_poms.diff +04_CVE-2015-3253.diffAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 782381-done@bugs.debian.org, 785573-done@bugs.debian.org, 785780-done@bugs.debian.org, 787067-done@bugs.debian.org, 787299-done@bugs.debian.org, 787478-done@bugs.debian.org, 787635-done@bugs.debian.org, 787642-done@bugs.debian.org, 787692-done@bugs.debian.org, 787806-done@bugs.debian.org, 787867-done@bugs.debian.org, 787904-done@bugs.debian.org, 787952-done@bugs.debian.org, 788054-done@bugs.debian.org, 788110-done@bugs.debian.org, 788241-done@bugs.debian.org, 788283-done@bugs.debian.org, 788531-done@bugs.debian.org, 788608-done@bugs.debian.org, 788612-done@bugs.debian.org, 788615-done@bugs.debian.org, 788665-done@bugs.debian.org, 788928-done@bugs.debian.org, 788938-done@bugs.debian.org, 789189-done@bugs.debian.org, 789393-done@bugs.debian.org, 789724-done@bugs.debian.org, 789786-done@bugs.debian.org, 790060-done@bugs.debian.org, 790245-done@bugs.debian.org, 790833-done@bugs.debian.org, 790939-done@bugs.debian.org, 791792-done@bugs.debian.org, 792369-done@bugs.debian.org, 792452-done@bugs.debian.org, 793020-done@bugs.debian.org, 793163-done@bugs.debian.org, 793430-done@bugs.debian.org, 793470-done@bugs.debian.org, 793688-done@bugs.debian.org, 794003-done@bugs.debian.org, 794090-done@bugs.debian.org, 794407-done@bugs.debian.org, 795165-done@bugs.debian.org, 795271-done@bugs.debian.org, 795491-done@bugs.debian.org, 795706-done@bugs.debian.org, 795794-done@bugs.debian.org, 795911-done@bugs.debian.org, 795947-done@bugs.debian.org, 796088-done@bugs.debian.org, 796112-done@bugs.debian.org, 796379-done@bugs.debian.org, 796573-done@bugs.debian.org, 796595-done@bugs.debian.org, 796846-done@bugs.debian.org, 796975-done@bugs.debian.org, 797083-done@bugs.debian.org, 797179-done@bugs.debian.org, 797201-done@bugs.debian.org, 797209-done@bugs.debian.org, 797246-done@bugs.debian.org, 797304-done@bugs.debian.org, 797328-done@bugs.debian.org
- Subject: Closing p-u bugs for 8.2
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 05 Sep 2015 14:31:07 +0100
- Message-id: <1441459867.2151.32.camel@adam-barratt.org.uk>
Version: 8.2 Hi, These bugs correspond to updates which were included in the 8.2 point release. Regards, Adam
--- End Message ---