Debian
commons-configuration2 package

commons-configuration2 2.8.0-1~deb11u1 source package in Debian

Changelog

commons-configuration2 (2.8.0-1~deb11u1) bullseye-security; urgency=high

  * Team upload.
  * Backport version 2.8.0 from Bullseye.
  * Fix CVE-2022-33980:
    Apache Commons Configuration performs variable interpolation, allowing
    properties to be dynamically evaluated and expanded. Starting with version
    2.4 and continuing through 2.7, the set of default Lookup instances
    included interpolators that could result in arbitrary code execution or
    contact with remote servers. These lookups are: - "script" - execute
    expressions using the JVM script execution engine (javax.script) - "dns" -
    resolve dns records - "url" - load values from urls, including from remote
    servers Applications using the interpolation defaults in the affected
    versions may be vulnerable to remote code execution or unintentional
    contact with remote servers if untrusted configuration values are used.
    (Closes: #1014960)

 -- Markus Koschany <email address hidden>  Mon, 28 Nov 2022 10:52:07 +0100

Upload details

Uploaded by:
Debian Java Maintainers
Uploaded to:
Bullseye
Original maintainer:
Debian Java Maintainers
Architectures:
all
Section:
misc
Urgency:
Very Urgent

See full publishing history Publishing

Series Pocket Published Component Section
Bullseye release main misc

Builds

Downloads

File Size SHA-256 Checksum
commons-configuration2_2.8.0-1~deb11u1.dsc 3.1 KiB c1538a574a3c86b57b03e53e176f3c560d8cb04e34bdad24a1ec7ab7ff62bc12
commons-configuration2_2.8.0.orig.tar.xz 658.6 KiB ac1a055140e91ef8937420552512b7e8cd8bbf8899d10e753f01d6cc3dbe0f1b
commons-configuration2_2.8.0-1~deb11u1.debian.tar.xz 5.4 KiB 60255b7b4d91ae24370cad85b72408f562ec6f61450e6ee64fb8550fa7c4e6d8

No changes file available.

Binary packages built by this source