CVE-2022-42889 (http://www.openwall.com/lists/oss-security/2022/10/13/4): Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. Please bump to 1.10.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a5a83e6b764ed915e5b2dbacdf6b2cbb7c9b6bdd commit a5a83e6b764ed915e5b2dbacdf6b2cbb7c9b6bdd Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-10-16 08:12:52 +0000 Commit: Florian Schmaus <flow@gentoo.org> CommitDate: 2022-10-20 11:18:21 +0000 dev-java/commons-text: add 1.10.0 (CVE-2022-42889) Bug: https://bugs.gentoo.org/877577 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/27802 Signed-off-by: Florian Schmaus <flow@gentoo.org> dev-java/commons-text/Manifest | 1 + dev-java/commons-text/commons-text-1.10.0.ebuild | 59 ++++++++++++++++++++++++ 2 files changed, 60 insertions(+)
Thanks! Please stabilize when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07e28cb7773bf8a1766227b964661533012765f8 commit 07e28cb7773bf8a1766227b964661533012765f8 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2022-10-25 13:18:40 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-25 21:55:41 +0000 dev-java/commons-text: drop 1.9 Bug: https://bugs.gentoo.org/877577 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/27941 Signed-off-by: John Helmert III <ajak@gentoo.org> dev-java/commons-text/Manifest | 1 - dev-java/commons-text/commons-text-1.9.ebuild | 43 --------------------------- 2 files changed, 44 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=45e0bd72744551e71baa23cf23de456d4dd49331 commit 45e0bd72744551e71baa23cf23de456d4dd49331 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-01-11 05:18:10 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-01-11 05:22:05 +0000 [ GLSA 202301-05 ] Apache Commons Text: Arbitrary Code Execution Bug: https://bugs.gentoo.org/877577 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202301-05.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
GLSA released, all done!