Bug#762690: libhibernate-validator-java: affected by CVE-2014-3558
Raphael Hertzog
hertzog at debian.org
Wed Sep 24 13:05:00 UTC 2014
Package: libhibernate-validator-java
Severity: serious
Tags: security
Hi,
the following vulnerability was published for libhibernate-validator-java.
CVE-2014-3558[0]:
It was discovered that the implementation of
org.hibernate.validator.util.ReflectionHelper together with the permissions
required to run Hibernate Validator under the Java Security Manager could allow
a malicious application deployed in the same application container to execute
several actions with escalated privileges, which might otherwise not be
possible. This flaw could be used to perform various attacks, including but not
restricted to, arbitrary code execution in systems that are otherwise secured
by the Java Security Manager.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3558
https://security-tracker.debian.org/tracker/CVE-2014-3558
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3558
Please adjust the affected versions in the BTS as needed.
The upstream fixes seem very involved and they have been pushed only
on newer versions of the package: 4.2.1, 4.3.2, and 5.1.2 respectively.
See https://hibernate.atlassian.net/browse/HV-912
Please switch to a new upstream version ASAP in unstable and help the
security team and the LTS team to provide patched versions in stable/oldstable.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
More information about the pkg-java-maintainers
mailing list