-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 28 Nov 2022 11:00:21 CET Source: commons-configuration2 Architecture: source Version: 2.8.0-1~deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Checksums-Sha1: 4a6b341cc007f5f471e2dc5ac188646a9d6871ca 3147 commons-configuration2_2.8.0-1~deb11u1.dsc c03103d376cdd50db521b0d5a327705bfad6e48a 674444 commons-configuration2_2.8.0.orig.tar.xz a8af81b5e8b6ea69a007656074b7ac0e38693cf3 5500 commons-configuration2_2.8.0-1~deb11u1.debian.tar.xz f7cf409535a07dfe691f72ac6aa9e2d4e4087395 17765 commons-configuration2_2.8.0-1~deb11u1_amd64.buildinfo Checksums-Sha256: c1538a574a3c86b57b03e53e176f3c560d8cb04e34bdad24a1ec7ab7ff62bc12 3147 commons-configuration2_2.8.0-1~deb11u1.dsc ac1a055140e91ef8937420552512b7e8cd8bbf8899d10e753f01d6cc3dbe0f1b 674444 commons-configuration2_2.8.0.orig.tar.xz 60255b7b4d91ae24370cad85b72408f562ec6f61450e6ee64fb8550fa7c4e6d8 5500 commons-configuration2_2.8.0-1~deb11u1.debian.tar.xz 86acb86b71369da8dda8dfc370d11effe6820556c665b67ad6fc1b17e6f1471d 17765 commons-configuration2_2.8.0-1~deb11u1_amd64.buildinfo Closes: 1014960 Changes: commons-configuration2 (2.8.0-1~deb11u1) bullseye-security; urgency=high . * Team upload. * Backport version 2.8.0 from Bullseye. * Fix CVE-2022-33980: Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. (Closes: #1014960) Files: fa7cdaaae6a92a07a2bfe9b013f284e5 3147 java optional commons-configuration2_2.8.0-1~deb11u1.dsc fc1361d211825df0a92dc5d4d604f11a 674444 java optional commons-configuration2_2.8.0.orig.tar.xz 0620bde3c78ac9a8dfb95d4ceabcb50f 5500 java optional commons-configuration2_2.8.0-1~deb11u1.debian.tar.xz 0cc36f29d03b550d137bf46bddd90b9b 17765 java optional commons-configuration2_2.8.0-1~deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmOEjS5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hkwd8QAJXPYMh+uDb35rMRCiLHPWhqqctw7cawarmt liBUt1m5N5T+vDu+VdfhnBanikKeUHWOKlIQNa1htMtdYeVRroixWCXhdLf/vDQF KKxcx2ejjWxzU7khcpkWpAThRntHSDCtmZV5fs/+CybIicTFpQuKtryBdMsNM8cm hZJzeawZymNBG3GKxSQs2x3J+47G7H3NqtdV0BskJYB7Hxyd7LryE569dLQngtm1 PfGlZFkI6VaCYmnechux9SoRt/FemYWKVwRp83NmnoIIbgDwm2LSBsEdMFy0qM+8 vgde1LiIRqrJ952e6NWQ5mm2CrCmwIq2HO8wJOu2J3fGxiQcS+hZfrulryIhpJWB guLFm33onRuM1DH7upo7JQNJYDW26H/Hu8RqN2uDIb2FwD6wVO4DK3qT9jBGLlaJ WhiZtRCsXPdZYHyj3L/HVoGl7jjjg6q6XroHmHJ7aOd2SRooiwh2A4YD+xf0o6E5 kWmP6VpmEzEn0mi1ZeuqHluDB6yoj2bUDKyHyTtGHDl8AyLUS/3tFrVuIZxyoU25 mrLqXn7EB8yqPWx1n8FaBp7UA9fjzzkFaUZ3LqIOTgMXt4pobxErXsIu/CeFZuFv kx4rDdravwNrjnzOs2n36e59huSSIZwtfy+Piiqwz5kf6r8Pf1vCA83g/AjVhyUL M8RhtUSm =WJz0 -----END PGP SIGNATURE-----
