Gentoo alert 202601-05 (Commons-BeanUtils)
| From: | glsamaker@gentoo.org | |
| To: | gentoo-announce@lists.gentoo.org | |
| Subject: | [gentoo-announce] [ GLSA 202601-05 ] Commons-BeanUtils: Arbitary Code Execution | |
| Date: | Mon, 26 Jan 2026 10:32:58 -0000 | |
| Message-ID: | <176942357919.7.2163074031867346363@3f85d36892cf> |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202601-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Commons-BeanUtils: Arbitary Code Execution Date: January 26, 2026 Bugs: #960929 ID: 202601-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in Commons-BeanUtils, which can lead to execution of arbitrary code. Background ========== Commons-beanutils provides easy-to-use wrappers around Reflection and Introspection APIs Affected packages ================= Package Vulnerable Unaffected -------------------------- ------------ ------------ dev-java/commons-beanutils < 1.11.0 >= 1.11.0 Description =========== Multiple vulnerabilities have been discovered in Commons-BeanUtils. Please review the CVE identifiers referenced below for details. Impact ====== A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Workaround ========== There is no known workaround at this time. Resolution ========== All Commons-BeanUtils users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/commons-beanutils-1.11.0" References ========== [ 1 ] CVE-2025-48734 https://nvd.nist.gov/vuln/detail/CVE-2025-48734 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202601-05 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2026 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAml3QtoACgkQFMQkOaVy +9k8Vw/+MTb5zMGOByN9a7fHIYz2uXRWfxosWM6E7nyZDxMGpjjhFJcFPSkjjbM3 mX1H5lFrsR+Q2u4wTb1D+gaywN4p7tqbSd6V52ypDHnj/ErVVHZ3P6m05N1vnmBq kUN1h+2LZjFasyzXYv+pMOH+OVFrQkymYAotBSET5wtERHaWCTw3lb1/gDbgE/u6 1I6lFh1hJrXKzNYMIwkVZX+Rz9kJXXNjnpcQYtLGH2tdY8m/cpmesYvHKyc/YwQp Xu70GPtJmdXXY9hdsk1mVd7TQn0v0GzjJPHhzKqVTCr+BIXX6wejzRAy9Cz5jN5h u5eyaEml82yYiUAGvtosfXTrdk7SpzKkAcH9Kyp36ThRB6PDVY0/YhEzsROtrQvr qyL4rg9QmoCxaNcavuMlRSkqLpl6r3O8d20IH10E/NfByh+UkMEmQb7hJxfNvLOE 3oRiipRKj3gaggkkVzMsIiIipQ5QnhlTjPHHZUxkENWOQM8QQf2fHo5FBZ74XpS4 3XYChEwJ58/GLCAMl2lO0ypi5AkyUeTssU5j+MkJ0cYApxieiwYNdMEbnKzUqdEi mmwC0hn1RURvu8rCR7ZtTvGM8hdKW/UlBbJjyu5rlDNbgnqN+oqreomXacOGE9Wf aIvHBnseKdQpvLvDcyE3pcZqY0opQmpE0FyzERoox6m3LDIFjdM= =7hEE -----END PGP SIGNATURE-----