Summary: | <dev-java/commons-collections-3.2.2: Unsafe deserialisation (CVE-2017-15708) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | fordfrog, java |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://commons.apache.org/proper/commons-collections/release_3_2_2.html | ||
See Also: |
https://github.com/gentoo/gentoo/pull/20421 https://github.com/gentoo/gentoo/pull/20474 |
||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
dev-java/commons-collections-3.2.2
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 779490 |
Description
Sam James
2020-08-28 03:19:13 UTC
Note that 4.x isn't vulnerable, but <3.2.2 is, so we need to bump to 3.2.2 here *or* just cleanup 3.x if possible. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e90a6173247f06514731825677f3fc67c62bdc52 commit e90a6173247f06514731825677f3fc67c62bdc52 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-21 09:31:11 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-21 09:33:09 +0000 dev-java/commons-collections: bump to 3.2.2 Bug: https://bugs.gentoo.org/739348 Closes: https://bugs.gentoo.org/784131 Closes: https://bugs.gentoo.org/780153 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-collections/Manifest | 1 + .../commons-collections-3.2.2.ebuild | 67 +++++++ .../files/commons-collections-3.2.2-fixes.patch | 201 +++++++++++++++++++++ 3 files changed, 269 insertions(+) it should be safe to stabilize Thanks! amd64 done ppc64 done x86 done all arches done Please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7b2e1ce22d34cb19c5e7d03c16fcabe3420d06a commit c7b2e1ce22d34cb19c5e7d03c16fcabe3420d06a Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2021-04-27 05:36:49 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-27 05:36:49 +0000 dev-java/commons-collections: removed obsolete and vulnerable 3.2.1-r1 Bug: https://bugs.gentoo.org/739348 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-collections/Manifest | 1 - .../commons-collections-3.2.1-r1.ebuild | 74 ---------- .../files/commons-collections-3.2.1-Java-8.patch | 160 --------------------- dev-java/commons-collections/metadata.xml | 3 - 4 files changed, 238 deletions(-) the tree is clean now, you can proceed. GLSA request filed. GLSA request filed. This issue was resolved and addressed in GLSA 202107-37 at https://security.gentoo.org/glsa/202107-37 by GLSA coordinator John Helmert III (ajak). |