Jump to content
Compatible Support Forums
Sign in to follow this  
news

[SECURITY] [DLA 352-1] libcommons-collections3-java security update

Recommended Posts

Package : libcommons-collections3-java

Version : 3.2.1-4+deb6u1

 

The Apache commons collection suffered from security issues, making

applications to accept serialized objects from untrusted sources. Remote

attackers might take advantage of these issues to execute arbitrary Java

functions and even inject manipulated bytecode.

 

This release of libcommons-collection3-java prevents these issues by disabling

the deserialization of the functors classes, unless the system property

org.apache.commons.collections.enableUnsafeSerialization is set to 'true'.

Classes considered unsafe are: CloneTransformer, ForClosure,

InstantiateFactory, InstantiateTransformer, InvokerTransformer,

PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure.

 

For Debian 6 "Squeeze", these problems have been fixed in

libcommons-collections3-java version 3.2.1-4+deb6u1. We recommend you to

upgrade your libcommons-collections3-java packages.

 

Learn more about the Debian Long Term Support (LTS) Project and how to

apply these updates at: https://wiki.debian.org/LTS/

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×