1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 5290-1] commons-configuration2 security update

    From Markus Koschany@21:1/5 to All on Mon Nov 28 13:00:01 2022
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-5290-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 28, 2022 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : commons-configuration2
    CVE ID : CVE-2022-33980
    Debian Bug : 1014960

    Apache Commons Configuration, a Java library providing a generic configuration interface, performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote server applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.

    For the stable distribution (bullseye), this problem has been fixed in
    version 2.8.0-1~deb11u1.

    We recommend that you upgrade your commons-configuration2 packages.

    For the detailed security status of commons-configuration2 please refer to
    its security tracker page at: https://security-tracker.debian.org/tracker/commons-configuration2

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOEnGNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTfixAAmUQeUZMfhGZTOpy54duxupRdD9aUOa7K2wYvEt2QmHa+2rusZX2NZnFq veVHX7N1n2gZq8LJVOUMQjWhtjO1mz73+0jmmzSlYtbarscflGRmRCn7HlHwnjAQ KFbhRf9DAkKbXVLquwMbviNZthhNg4Y01XvTWrxBorjqMI5DSl1cE5nH7c0gTOSJ QAuEuOnF2Rf9RHHzabRhrGTiWDgRjstMwUQm3eUet3U8Mcm7hpNGKvJt+rlnlY3k +tH6FkDqr7Vo+Ban2eEzmtlxsZM75HlsIg+oq7HaRtmd/L0wthlF/VcZuCYAqJsH RF5L1Xrvsp3/rGXcKV1y5mOCHI+WUvgYRyoir6xW5UMlc7wABMBlsMGN5HcUN+5Y RDTairCWGULTpD3iRv+Nj61JLE9T9tBqX4j+mJ4TlRW5Sl26o/yX6pFZpb2Fj896 awb7ZRJaq1iV1jhSmxTTh5EdR9/JxJyB+CXN3gAAlWrffJhJaQZW43jIHKO6+J70 GJZfx5s+c6WXpuZQ51qMfEvghOPgCuyB5MIRMVazEGXrU++xylUfTjwepZ5akEip SaMaCpnk1EecVMiLdeu2tlrJgm8XJdGXcofUpryM76dgDNe1ghKbTL3AEdb2C9+e n5xGDJDXHm0xR99oIHoUU6l8k8MggkahuuugF9P09FohGC6Z8a8=
    =JxWQ
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)