When an application with unsupported Codehaus versions of Groovy from 1.7.0
to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java
serialization mechanisms, e.g. to communicate between servers or to store
local data, it was possible for an attacker to bake a special serialized
object that will execute code directly when deserialized. All applications
which rely on serialization and do not isolate the code which deserializes
objects were subject to this vulnerability.
It was discovered that Apache Groovy incorrectly handled incorrectly handled
serialization mechanisms. An attacker could possibly use this issue to execute
arbitrary code.
ebarrettogroovy in Xenial is currently FTBFS. Also there's no more support
from upstream to that version (1.8.6)
Upstream:released (2.4.8-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.4.8-1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (2.4.8-1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (2.4.8-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
More Information

Updated: 2020-07-28 18:37:43 UTC (commit 7b6828437fde0509248708fcdb5b0f7587b85bd1)