Bug#885577: libhibernate-validator-java: CVE-2017-7536: Privilege escalation when running under the security manager
Salvatore Bonaccorso
carnil at debian.org
Mon Jan 8 19:31:59 UTC 2018
Hey!
On Mon, Jan 08, 2018 at 06:03:48PM +0100, Markus Koschany wrote:
> Hi,
>
> Am 08.01.2018 um 17:44 schrieb Salvatore Bonaccorso:
> [...]
> > So the patched files exits, and similar code flow is present.
> >
> > I explicitly have not looked (yet) at 4.0.2.GA which is in jessie (and
> > wheezy), just the 4.3.3 based versions in stable and unstable yet.
> >
> > What do you miss?
>
> Oh, I was somehow under the impression all versions were the same. The
> getAccessible method is not present in Wheezy/Jessie hence my
> conclusion. The version in stable/unstable looks to me like we could
> apply the patch.
Ok, thanks a lot for double checking. Again, I'm not sure how pressing
the issue is, I'm defering a DSA/no-DSA decision to one of my
teammates. Privilege escalation rings some bells obviously.
For older versions than 4.3.3, am I right that then the issue is only
introduced in ab21ca98fd7814bd014e7d8e03de8640f2529352, "HV-912 Not
exposing accessible-made members", which is in 4.3.2.Final~3 or is it
more just uncovered there?
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list