[gentoo-announce] [ GLSA 202003-01 ] Groovy: Arbitrary code execution - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202003-01 ] Groovy: Arbitrary code execution
Date:	Thu, 12 Mar 2020 19:14:42
Message-Id:	`b14d9f9e-2c9e-38cc-5ff3-bfbcf45ec0f1@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202003-01

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Groovy: Arbitrary code execution

9

     Date: March 07, 2020

10

     Bugs: #605690

11

       ID: 202003-01

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A vulnerability within serialization might allow remote attackers to

19

execute arbitrary code.

20

21

Background

22

==========

23

24

A multi-faceted language for the Java platform

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  dev-java/groovy              <= 2.4.5                 Vulnerable!

33

    -------------------------------------------------------------------

34

     NOTE: Certain packages are still vulnerable. Users should migrate

35

           to another package if one is available or wait for the

36

           existing packages to be marked stable by their

37

           architecture maintainers.

38

39

Description

40

===========

41

42

It was discovered that there was a vulnerability within the Java

43

serialization/deserialization process.

44

45

Impact

46

======

47

48

An attacker, by crafting a special serialized object, could execute

49

arbitrary code.

50

51

Workaround

52

==========

53

54

There is no known workaround at this time.

55

56

Resolution

57

==========

58

59

Gentoo has discontinued support for Groovy. We recommend that users

60

unmerge Groovy:

61

62

  # emerge --unmerge "dev-java/groovy"

63

64

References

65

==========

66

67

[ 1 ] CVE-2016-6814

68

      https://nvd.nist.gov/vuln/detail/CVE-2016-6814

69

70

Availability

71

============

72

73

This GLSA and any updates to it are available for viewing at

74

the Gentoo Security Website:

75

76

 https://security.gentoo.org/glsa/202003-01

77

78

Concerns?

79

=========

80

81

Security is a primary focus of Gentoo Linux and ensuring the

82

confidentiality and security of our users' machines is of utmost

83

importance to us. Any security concerns should be addressed to

84

security@g.o or alternatively, you may file a bug at

85

https://bugs.gentoo.org.

86

87

License

88

=======

89

90

Copyright 2020 Gentoo Foundation, Inc; referenced text

91

belongs to its owner(s).

92

93

The contents of this document are licensed under the

94

Creative Commons - Attribution / Share Alike license.

95

96

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202003-01
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Groovy: Arbitrary code execution
9	Date: March 07, 2020
10	Bugs: #605690
11	ID: 202003-01
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A vulnerability within serialization might allow remote attackers to
19	execute arbitrary code.
20
21	Background
22	==========
23
24	A multi-faceted language for the Java platform
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 dev-java/groovy <= 2.4.5 Vulnerable!
33	-------------------------------------------------------------------
34	NOTE: Certain packages are still vulnerable. Users should migrate
35	to another package if one is available or wait for the
36	existing packages to be marked stable by their
37	architecture maintainers.
38
39	Description
40	===========
41
42	It was discovered that there was a vulnerability within the Java
43	serialization/deserialization process.
44
45	Impact
46	======
47
48	An attacker, by crafting a special serialized object, could execute
49	arbitrary code.
50
51	Workaround
52	==========
53
54	There is no known workaround at this time.
55
56	Resolution
57	==========
58
59	Gentoo has discontinued support for Groovy. We recommend that users
60	unmerge Groovy:
61
62	# emerge --unmerge "dev-java/groovy"
63
64	References
65	==========
66
67	[ 1 ] CVE-2016-6814
68	https://nvd.nist.gov/vuln/detail/CVE-2016-6814
69
70	Availability
71	============
72
73	This GLSA and any updates to it are available for viewing at
74	the Gentoo Security Website:
75
76	https://security.gentoo.org/glsa/202003-01
77
78	Concerns?
79	=========
80
81	Security is a primary focus of Gentoo Linux and ensuring the
82	confidentiality and security of our users' machines is of utmost
83	importance to us. Any security concerns should be addressed to
84	security@g.o or alternatively, you may file a bug at
85	https://bugs.gentoo.org.
86
87	License
88	=======
89
90	Copyright 2020 Gentoo Foundation, Inc; referenced text
91	belongs to its owner(s).
92
93	The contents of this document are licensed under the
94	Creative Commons - Attribution / Share Alike license.
95
96	https://creativecommons.org/licenses/by-sa/2.5