Bug#1059726: jline3: CVE-2023-50572
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 11 22:44:26 BST 2026
Hi Emmanuel,
On Thu, Jun 11, 2026 at 11:28:06PM +0200, Emmanuel Bourg wrote:
> Control: found -1 3.14.0
>
>
> Le 30/12/2023 à 21:13, Salvatore Bonaccorso a écrit :
> > Source: jline3
> > Version: 3.3.1-3
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> >
> > Hi,
> >
> > The following vulnerability was published for jline3.
> >
> > CVE-2023-50572[0]:
> > | An issue in the component GroovyEngine.execute of jline-groovy
> > | v3.24.1 allows attackers to cause an OOM (OutofMemory) error.
> >
> > Now I'm not completely sure about the assessment. The code in 3.3.1
> > got some refactoring in laeter version and the upstream commit from
> > 3.25.0 fixing the issue would not apply cleanly, but I'm not 100%
> > convinced htat the issue is only introduced later. Please double check
> > that. In case not, where was the issue introduced, can we pin-point
> > that?
>
> Groovy support was introduced in JLine 3.14.0 [1], so our old 3.3.1 version
> is not affected by CVE-2023-50572.
Thanks, I have updated the security-tracker information.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list