group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1714728] [NEW] [CVEs] Creates executables class files with wrong permissions, Unsafe deserialization leads to code execution

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Simon Quigley <tsimonq2@xxxxxxxxxx>
Date: Sun, 03 Sep 2017 01:28:06 -0000
Reply-to: Bug 1714728 <1714728@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

This aims to fix two CVEs:

 - CVE-2013-2027: Creates executables class files with wrong permissions
 - CVE-2016-4000: Unsafe deserialization leads to code execution

While CVE-2013-2027 is not shown as fixed in Debian and Red Hat, it is
fixed in OpenSUSE (openSUSE-SU-2015:0269-1), we can backport their
patches.

CVE-2016-4000 was fixed in Debian in 2.5.3-17, and that's in Artful, but
we still need fixes for Trusty, Xenial, and Zesty.

** Affects: jython (Ubuntu)
     Importance: Medium
     Assignee: Simon Quigley (tsimonq2)
         Status: In Progress

** Affects: jython (Ubuntu Trusty)
     Importance: High
     Assignee: Simon Quigley (tsimonq2)
         Status: In Progress

** Affects: jython (Ubuntu Xenial)
     Importance: High
     Assignee: Simon Quigley (tsimonq2)
         Status: In Progress

** Affects: jython (Ubuntu Zesty)
     Importance: High
     Assignee: Simon Quigley (tsimonq2)
         Status: In Progress

** Affects: jython (Ubuntu Artful)
     Importance: Medium
     Assignee: Simon Quigley (tsimonq2)
         Status: In Progress


** Tags: artful trusty xenial zesty

** Also affects: jython (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: jython (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: jython (Ubuntu Artful)
   Importance: Undecided
       Status: New

** Also affects: jython (Ubuntu Zesty)
   Importance: Undecided
       Status: New

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4000

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1714728

Title:
  [CVEs] Creates executables class files with wrong permissions, Unsafe
  deserialization leads to code execution

Status in jython package in Ubuntu:
  In Progress
Status in jython source package in Trusty:
  In Progress
Status in jython source package in Xenial:
  In Progress
Status in jython source package in Zesty:
  In Progress
Status in jython source package in Artful:
  In Progress

Bug description:
  This aims to fix two CVEs:

   - CVE-2013-2027: Creates executables class files with wrong permissions
   - CVE-2016-4000: Unsafe deserialization leads to code execution

  While CVE-2013-2027 is not shown as fixed in Debian and Red Hat, it is
  fixed in OpenSUSE (openSUSE-SU-2015:0269-1), we can backport their
  patches.

  CVE-2016-4000 was fixed in Debian in 2.5.3-17, and that's in Artful,
  but we still need fixes for Trusty, Xenial, and Zesty.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jython/+bug/1714728/+subscriptions

Follow ups

[Bug 1714728] Re: [CVEs] Creates executables class files with wrong permissions, Unsafe deserialization leads to code execution
From: Launchpad Bug Tracker, 2017-09-22
[Bug 1714728] Re: [CVEs] Creates executables class files with wrong permissions, Unsafe deserialization leads to code execution
From: Launchpad Bug Tracker, 2017-09-22
[Bug 1714728] Re: [CVEs] Creates executables class files with wrong permissions, Unsafe deserialization leads to code execution
From: Launchpad Bug Tracker, 2017-09-22
[Bug 1714728] Re: [CVEs] Creates executables class files with wrong permissions, Unsafe deserialization leads to code execution
From: Launchpad Bug Tracker, 2017-09-04