[pkg-java] r18788 - in branches/groovy/squeeze-lts/debian: . patches

Miguel Landaeta nomadium at moszumanska.debian.org
Sat Jul 25 23:44:09 UTC 2015 

Author: nomadium
Date: 2015-07-25 23:44:09 +0000 (Sat, 25 Jul 2015)
New Revision: 18788

Added:
   branches/groovy/squeeze-lts/debian/patches/CVE-2015-3253.patch
Modified:
   branches/groovy/squeeze-lts/debian/changelog
   branches/groovy/squeeze-lts/debian/control
   branches/groovy/squeeze-lts/debian/patches/series
   branches/groovy/squeeze-lts/debian/rules
Log:
squeeze-lts NMU 1.7.0-4+deb6u1

Modified: branches/groovy/squeeze-lts/debian/changelog
===================================================================
--- branches/groovy/squeeze-lts/debian/changelog	2015-07-25 23:38:35 UTC (rev 18787)
+++ branches/groovy/squeeze-lts/debian/changelog	2015-07-25 23:44:09 UTC (rev 18788)
@@ -1,3 +1,13 @@
+groovy (1.7.0-4+deb6u1) squeeze-lts; urgency=high
+
+  * Non-maintainer upload by the Squeeze LTS team
+  * debian/control, debian/rules: (Build-)Depend on libservlet2.5-java
+    instead of libservlet2.4-java (fixes FTBFS)
+  * Disable deserialisation of org.codehaus.groovy.runtime.MethodClosure
+    to prevent code injection (CVE-2015-3253)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sat, 18 Jul 2015 17:32:16 +0100
+
 groovy (1.7.0-4) testing; urgency=low
 
   * Set $JAVA_HOME in startGroovy. (Closes: #580160)

Modified: branches/groovy/squeeze-lts/debian/control
===================================================================
--- branches/groovy/squeeze-lts/debian/control	2015-07-25 23:38:35 UTC (rev 18787)
+++ branches/groovy/squeeze-lts/debian/control	2015-07-25 23:44:09 UTC (rev 18788)
@@ -7,7 +7,7 @@
 Build-Depends-Indep: maven-repo-helper, ant (>= 1.7.1), ant-optional, default-jdk, bzip2, libasm3-java,
  libbsf-java, libcommons-cli-java (>= 1.2), libcommons-logging-java
  (>= 1.0.3), junit4, libmockobjects-java (>= 0.09), libregexp-java (>=
- 1.2), libservlet2.4-java, libxstream-java, libjline-java, antlr,
+ 1.2), libservlet2.5-java, libxstream-java, libjline-java, antlr,
  tofrodos, ivy, libqdox-java, libjarjar-java
 Standards-Version: 3.8.4
 Homepage: http://groovy.codehaus.org/
@@ -19,7 +19,7 @@
 Depends: ${misc:Depends}, antlr, libasm3-java, libbsf-java,
  libclassworlds-java (>= 1.0.1), libcommons-cli-java (>= 1.0),
  libcommons-logging-java (>= 1.0.3), junit4, libmockobjects-java (>=
- 0.09), libregexp-java (>= 1.2), libservlet2.4-java, libjline-java,
+ 0.09), libregexp-java (>= 1.2), libservlet2.5-java, libjline-java,
  libxstream-java, ivy, default-jre-headless | java5-runtime-headless
 Suggests: groovy-doc, ant (>= 1.7.1)
 Description: Agile dynamic language for the Java Virtual Machine

Added: branches/groovy/squeeze-lts/debian/patches/CVE-2015-3253.patch
===================================================================
--- branches/groovy/squeeze-lts/debian/patches/CVE-2015-3253.patch	                        (rev 0)
+++ branches/groovy/squeeze-lts/debian/patches/CVE-2015-3253.patch	2015-07-25 23:44:09 UTC (rev 18788)
@@ -0,0 +1,16 @@
+Description: Disable deserialisation of
+ org.codehaus.groovy.runtime.MethodClosure to prevent code injection
+ (CVE-2015-3253)
+Origin: https://marc.info/?l=oss-security&m=143704277529609&w=2
+
+--- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -82,4 +82,8 @@ public class MethodClosure extends Closu
+             return getMethod();
+         } else  return super.getProperty(property);        
+     }
++
++    private Object readResolve() {
++        throw new UnsupportedOperationException();
++    }
+ }

Modified: branches/groovy/squeeze-lts/debian/patches/series
===================================================================
--- branches/groovy/squeeze-lts/debian/patches/series	2015-07-25 23:38:35 UTC (rev 18787)
+++ branches/groovy/squeeze-lts/debian/patches/series	2015-07-25 23:44:09 UTC (rev 18788)
@@ -1,3 +1,4 @@
 start-scripts.patch
 ant-build.diff
 disable-bnd.diff
+CVE-2015-3253.patch

Modified: branches/groovy/squeeze-lts/debian/rules
===================================================================
--- branches/groovy/squeeze-lts/debian/rules	2015-07-25 23:38:35 UTC (rev 18787)
+++ branches/groovy/squeeze-lts/debian/rules	2015-07-25 23:44:09 UTC (rev 18788)
@@ -9,7 +9,7 @@
 DEB_ANT_BUILDFILE    := build.xml
 DEB_ANT_BUILD_TARGET := install doc
 DEB_ANT_ARGS	     := -debug -DskipTests=true -DskipFetch=true
-DEB_JARS             := ant mockobjects-core servlet-api jsp-api commons-cli antlr	\
+DEB_JARS             := ant mockobjects-core servlet-api-2.5 jsp-api-2.1 commons-cli antlr	\
             ant-antlr ant-trax xstream bsf xercesImpl jline junit4 xstream jline asm3 \
             asm3-util asm3-tree asm3-analysis ivy bnd qdox jarjar
 API_DOCS             := target/html/api

More information about the pkg-java-commits mailing list