DSA-3403-1 libcommons-collections3-java -- libcommons-collections3-javaID: oval:org.secpod.oval:def:602289 | Date: (C)2015-12-02 (M)2021-09-13 |
Class: PATCH | Family: unix |
This update backports changes from the commons-collections 3.2.2 release which disable the deserialisation of the functors classes unless the system property org.apache.commons.collections.enableUnsafeSerialization is set to "true". This fixes a vulnerability in unsafe applications deserialising objects from untrusted sources without sanitising the input data. Classes considered unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory and WhileClosure. For the oldstable distribution , this problem has been fixed in version 3.2.1-5+deb7u1.
Platform: |
Debian 8.x |
Debian 7.x |
Product: |
libcommons-collections3-java |