CVE-2017-20189

NameCVE-2017-20189
DescriptionIn Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clojure (PTS)bullseye1.10.2-1fixed
bookworm1.11.1-2fixed
forky, sid, trixie1.12.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clojuresource(unstable)1.9.0-1

Notes

https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3 (clojure-1.9.0-alpha20)
Search for package or bug name: Reporting problems