CVE-2014-0114 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0114): Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
* commit df0dbde (HEAD, master) | Author: Patrice Clement <monsieurp@gentoo.org> | Date: Fri Aug 21 10:40:02 2015 +0000 | | dev-java/commons-beanutils: Version bump. Fixes security bug 534498. | | Package-Manager: portage-2.2.18 | Signed-off-by: Patrice Clement <monsieurp@gentoo.org> | | create mode 100644 dev-java/commons-beanutils/commons-beanutils-1.9.2.ebuild Arch teams, Please stabilise: =dev-java/common-beanutils-1.9.2 Target arches: amd64 ppc ppc64 x86 Thanks.
amd64 stable
x86 stable
ppc stable
* commit 0c2e619 | Author: Patrice Clement <monsieurp@gentoo.org> | Date: Thu Sep 3 06:18:32 2015 -0700 | | dev-java/commons-beanutils: Stable for ppc64. Fixes security bug 534498. | | Package-Manager: portage-2.2.20.1 | |
commit 15cc32e (HEAD, master) Author: Patrice Clement <monsieurp@gentoo.org> Date: Thu Sep 3 06:20:17 2015 -0700 dev-java/commons-beanutils: Remove vunerable versions. Fixes security bug 534498. Package-Manager: portage-2.2.20.1 delete mode 100644 dev-java/commons-beanutils/commons-beanutils-1.8.0.ebuild delete mode 100644 dev-java/commons-beanutils/commons-beanutils-1.8.3.ebuild Security, Please vote.
glsa request is filed
This issue was resolved and addressed in GLSA 201607-09 at https://security.gentoo.org/glsa/201607-09 by GLSA coordinator Aaron Bauman (b-man).