Groovy is vulnerable to a remote execution of arbitrary code when java serialization is used.
|Package||dev-java/groovy on all architectures|
|Affected versions||< 2.4.5|
|Unaffected versions||>= 2.4.5|
A multi-faceted language for the Java platform
Groovy’s MethodClosure class, in runtime/MethodClosure.java, is vulnerable to a crafted serialized object.
Remote attackers could potentially execute arbitrary code, or cause Denial of Service condition
A workaround exists by using a custom security policy file utilizing the standard Java security manager, or do not rely on serialization to communicate remotely.
All Groovy users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/groovy-2.4.5"
October 06, 2016
October 06, 2016: 1