Description: "In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=553539eb9d5c7409668481e510623db9f457f3e6 commit 553539eb9d5c7409668481e510623db9f457f3e6 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2021-04-27 09:13:13 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2021-04-27 11:29:48 +0000 dev-java/commons-beanutils: bump to 1.9.4 Bug: https://bugs.gentoo.org/739346 Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/20553 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/commons-beanutils/Manifest | 1 + .../commons-beanutils-1.9.4.ebuild | 69 ++++++++++++++++++++++ 2 files changed, 70 insertions(+)
we still have some tests failing, will try to fix that later...
Looks like stabilization was done in bug 832341. Tree is clean.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e9e8225a5cdb6fc2b599aedc60530a0990ac776a commit e9e8225a5cdb6fc2b599aedc60530a0990ac776a Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-05-08 05:13:04 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-08 05:13:23 +0000 [ GLSA 202405-21 ] Commons-BeanUtils: Improper Access Restriction Bug: https://bugs.gentoo.org/739346 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202405-21.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)