Debian Security Advisory
DLA-274-1 groovy -- LTS security update
- Date Reported:
- 20 Jul 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-3253.
- More information:
cpnrodzc7, working with HP's Zero Day Initiative, discovered that Java applications using standard Java serialization mechanisms to decode untrusted data, and that have Groovy on their classpath, can be passed a serialized object that will cause the application to execute arbitrary code.
For the oldoldstable distribution (squeeze), this problem has been fixed in version 1.7.0-4+deb6u1.
For the oldstable distribution (wheezy) and stable distribution (jessie), this problem will be fixed soon.