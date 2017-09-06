-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



=====================================================================

Red Hat Security Advisory



Synopsis: Important: rh-maven33-groovy security update

Advisory ID: RHSA-2017:2596-01

Product: Red Hat Software Collections

Advisory URL: https://access.redhat.com/errata/RHSA-2017:2596

Issue date: 2017-09-05

CVE Names: CVE-2015-3253 CVE-2016-6814

=====================================================================



1. Summary:



An update for rh-maven33-groovy is now available for Red Hat Software

Collections.



Red Hat Product Security has rated this update as having a security impact

of Important. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available for each vulnerability

from the CVE link(s) in the References section.



2. Relevant releases/architectures:



Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) -

noarch

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) -

noarch

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) -

noarch

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3) -

noarch

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) -

noarch

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) -

noarch



3. Description:



Groovy is an agile and dynamic language for the Java Virtual Machine, built

upon Java with features inspired by languages like Python, Ruby, and

Smalltalk. It seamlessly integrates with all existing Java objects and

libraries and compiles straight to Java bytecode so you can use it anywhere

you can use Java.



Security Fix(es):



* Multiple object deserialization flaws were discovered in the

MethodClosure class in Groovy. A specially crafted serialized object

deserialized by an application using the Groovy library could cause the

application to execute arbitrary code. (CVE-2015-3253, CVE-2016-6814)



4. Solution:



For details on how to apply this update, which includes the changes

described in this advisory, refer to:



https://access.redhat.com/articles/11258



5. Bugs fixed (https://bugzilla.redhat.com/):



1243934 - CVE-2015-3253 groovy: remote execution of untrusted code in class

MethodClosure

1413466 - CVE-2016-6814 Apache Groovy: Remote code execution via

deserialization



6. Package List:



Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):



Source:

rh-maven33-groovy-1.8.9-7.19.el6.src.rpm



noarch:

rh-maven33-groovy-1.8.9-7.19.el6.noarch.rpm

rh-maven33-groovy-javadoc-1.8.9-7.19.el6.noarch.rpm



Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):



Source:

rh-maven33-groovy-1.8.9-7.19.el6.src.rpm



noarch:

rh-maven33-groovy-1.8.9-7.19.el6.noarch.rpm

rh-maven33-groovy-javadoc-1.8.9-7.19.el6.noarch.rpm



Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):



Source:

rh-maven33-groovy-1.8.9-7.19.el6.src.rpm



noarch:

rh-maven33-groovy-1.8.9-7.19.el6.noarch.rpm

rh-maven33-groovy-javadoc-1.8.9-7.19.el6.noarch.rpm



Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):



Source:

rh-maven33-groovy-1.8.9-7.19.el7.src.rpm



noarch:

rh-maven33-groovy-1.8.9-7.19.el7.noarch.rpm

rh-maven33-groovy-javadoc-1.8.9-7.19.el7.noarch.rpm



Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3):



Source:

rh-maven33-groovy-1.8.9-7.19.el7.src.rpm



noarch:

rh-maven33-groovy-1.8.9-7.19.el7.noarch.rpm

rh-maven33-groovy-javadoc-1.8.9-7.19.el7.noarch.rpm



Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):



Source:

rh-maven33-groovy-1.8.9-7.19.el7.src.rpm



noarch:

rh-maven33-groovy-1.8.9-7.19.el7.noarch.rpm

rh-maven33-groovy-javadoc-1.8.9-7.19.el7.noarch.rpm



These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/



7. References:



https://access.redhat.com/security/cve/CVE-2015-3253

https://access.redhat.com/security/cve/CVE-2016-6814

https://access.redhat.com/security/updates/classification/#important



8. Contact:



The Red Hat security contact is <secalert@redhat.com>. More contact

details at https://access.redhat.com/security/team/contact/



Copyright 2017 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1



iD8DBQFZrytaXlSAg2UNWIIRAk3tAJ9q8h942fsscW7b0Y8VT96I3aEp0gCgn5RB

rto+ldoRBb7c9ZRwAEs0OII=

=Qw3T

-----END PGP SIGNATURE-----



