"In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean."
The bug has been referenced in the following commit(s):
Author: Volkmar W. Pogatzki <email@example.com>
AuthorDate: 2021-04-27 09:13:13 +0000
Commit: Miroslav Šulc <firstname.lastname@example.org>
CommitDate: 2021-04-27 11:29:48 +0000
dev-java/commons-beanutils: bump to 1.9.4
Package-Manager: Portage-3.0.18, Repoman-3.0.2
Signed-off-by: Volkmar W. Pogatzki <email@example.com>
Signed-off-by: Miroslav Šulc <firstname.lastname@example.org>
dev-java/commons-beanutils/Manifest | 1 +
.../commons-beanutils-1.9.4.ebuild | 69 ++++++++++++++++++++++
2 files changed, 70 insertions(+)
we still have some tests failing, will try to fix that later...
Looks like stabilization was done in bug 832341. Tree is clean.