Synopsis:          Important: jakarta-commons-collections security update
Advisory ID:       SLSA-2015:2671-1
Issue Date:        2015-12-21
CVE Numbers:       CVE-2015-7501
--

It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the commons-
collections library. (CVE-2015-7501)

With this update, deserialization of certain classes in the commons-
collections library is no longer allowed. Applications that require those
classes to be deserialized can use the system property
"org.apache.commons.collections.enableUnsafeSerialization" to re-enable
their deserialization.

In the interim, the quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransformer) in all commons-collections jar files. Any manual changes should be tested to avoid unforseen complications.

All running applications using the commons-collections library must be
restarted for the update to take effect.
--

SL5
  x86_64
    jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm
    jakarta-commons-collections-tomcat5-3.2-2jpp.4.x86_64.rpm
    jakarta-commons-collections-3.2-2jpp.4.x86_64.rpm
    jakarta-commons-collections-javadoc-3.2-2jpp.4.x86_64.rpm
    jakarta-commons-collections-testframework-3.2-2jpp.4.x86_64.rpm
    jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.x86_64.rpm
  i386
    jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm
    jakarta-commons-collections-tomcat5-3.2-2jpp.4.i386.rpm
    jakarta-commons-collections-3.2-2jpp.4.i386.rpm
    jakarta-commons-collections-javadoc-3.2-2jpp.4.i386.rpm
    jakarta-commons-collections-testframework-3.2-2jpp.4.i386.rpm
    jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.i386.rpm

- Scientific Linux Development Team