From ${URL} : The Kryo serialization API (https://github.com/EsotericSoftware/kryo) doesn�t enforce whitelisting by default, and thus allows side effects from constructors and finalizer methods in attacker-chosen types when deserializing. With the right gadgets available on the classpath, these side effects could lead to DoS, memory corruption, and possibly RCE. https://www.contrastsecurity.com/security-influencers/serialization-must-di e-act-1-kryo https://github.com/EsotericSoftware/kryo/issues/398 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
@maintainers has there been an update on this? I've noticed its been open since last year. I am going to get in touch with upstream to see if version 4.0 has corrected this.
Hi Michael. Like you, we are civilised people. Let's greet each other before opening a discussion. Truth to be told, Java team haven't looked into this bug so far. You are more than welcome to go and talk to upstream and report back here what they advise wrt this issue. Better yet, send us a PR on Github to fix this bug report. Have a great day.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79808d2dacc9f17de1d342318be8cc362b679247 commit 79808d2dacc9f17de1d342318be8cc362b679247 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:19:08 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:25:54 +0000 dev-java/kryo: Remove last-rited pkg Bug: https://bugs.gentoo.org/576874 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-java/kryo/Manifest | 1 - dev-java/kryo/kryo-2.24.0.ebuild | 56 ---------------------------------------- dev-java/kryo/metadata.xml | 18 ------------- profiles/package.mask | 5 ---- 4 files changed, 80 deletions(-)
buh bye