Security Information / 2017 / Security Information -- DSA-3893-1 jython

Debian Security Advisory

DSA-3893-1 jython -- security update

Date Reported:

22 Jun 2017

Affected Packages:

jython

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 864859.
In Mitre's CVE dictionary: CVE-2016-4000.

More information:

Alvaro Munoz and Christian Schneider discovered that jython, an implementation of the Python language seamlessly integrated with Java, is prone to arbitrary code execution triggered when sending a serialized function to the deserializer.

For the oldstable distribution (jessie), this problem has been fixed in version 2.5.3-3+deb8u1.

For the stable distribution (stretch), this problem has been fixed in version 2.5.3-16+deb9u1.

For the unstable distribution (sid), this problem has been fixed in version 2.5.3-17.

We recommend that you upgrade your jython packages.