CVE-2016-6814

Name	CVE-2016-6814
Description	When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-794-1
Debian Bugs	851408

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
groovy (PTS)	buster	2.4.16-2	fixed
	bullseye	2.4.21-1	fixed
	bookworm	2.4.21-8	fixed
	sid, trixie	2.4.21-10	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
groovy	source	wheezy	1.8.6-1+deb7u2		DLA-794-1
groovy	source	jessie	1.8.6-4+deb8u2
groovy	source	(unstable)	2.4.8-1			851408
groovy2	source	jessie	2.2.2+dfsg-3+deb8u2
groovy2	source	(unstable)	(unfixed)