From ${URL} : It was found that jython is vulnerable to arbitrary code executionby sending a serialized function to the deserializer, which in turn will execute the code. Upstream issue: http://bugs.jython.org/issue2454 Upstream patch: https://hg.python.org/jython/rev/d06e29d100c0 References: https://snyk.io/vuln/SNYK-JAVA-ORGPYTHON-31451 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I have now patched against this in the -r2 revbump. I wonder why there was such a long time between discovery and publication. Upstream still haven't put out a new release. I would appreciate a little urgency on this one. As well as the security issue, it is also indirectly holding up the removal of Java 7. Runtime testing would be appreciated. Seeing that the jython2.7 console fires up would be sufficient.
An automated check of this bug failed - the following atom is unknown: dev-java/jython-2.7.0-r2 Please verify the atom list.
(In reply to Stabilization helper bot from comment #2) > An automated check of this bug failed - the following atom is unknown: D'oh, forgot to push.
Builds and runs fine on x86. Rdeps build fine as well. Please mark stable for x86.
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
New GLSA request filed. Gentoo Security Padawan (jmbailey/mbailey_j)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e509506285cd9c23476eb409931bd752f21fbb0 commit 9e509506285cd9c23476eb409931bd752f21fbb0 Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2017-10-27 17:26:17 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-27 18:27:41 +0000 dev-java/jython: remove vulnerable version. Bug: https://bugs.gentoo.org/621876 Package-Manager: Portage-2.3.8, Repoman-2.3.3 dev-java/jython/jython-2.7.0.ebuild | 191 ------------------------------------ dev-java/jython/metadata.xml | 3 - 2 files changed, 194 deletions(-)}
This issue was resolved and addressed in GLSA 201710-28 at https://security.gentoo.org/glsa/201710-28 by GLSA coordinator Aaron Bauman (b-man).