days
1
4
hours
1
7
minutes
5
1
seconds
3
4
search
Getting a makeover

Groovy 2.4.4 has landed under the Apache Foundation

Natali Vlatko
Makeover image via Shutterstock

The newest version of Groovy is here and with it, a mini makeover under their new custodians. The Apache Software Foundation is now looking after “Apache Groovy” with version 2.4.4 offering some critical bugfixes and maintenance.

Groovy has shipped version 2.4.4 as it’s first under the wing of The Apache Software Foundation. Releases before 2.4.4 weren’t done under the Foundation and are provided as a convenience at groovy-lang.org. Previous releases are offered without warranty.

Groovy 2.4.4 offers critical bugfixes for the most part, informing users via mailing list of the release. The biggest bug involved remote execution of untrusted code, allowing attackers to insert a special serialised object that executes code directly when deserialised.

SEE ALSO: It’s official – Groovy joins Apache Software Foundation

This kind of attack is made possible when an application has Groovy on the classpath and uses standard a Java serialisation mechanism to communicate between servers. Because of the vulnerability, users who rely on serialisation have been recommended to update immediately to receive the patch.

For those using older versions of Groovy or are unable to update, the following patch on the MethodClosure class has been supplied:

 public class MethodClosure extends Closure {
+    private Object readResolve() {
+        throw new UnsupportedOperationException();
+    }

User concerned about the bug should check out the Groovy Security area. Other fixes include the GroovyClassLoader addClasspath RegexPattern issue and compiler crashes in the static type checker. The full changelog is available here.

Doing things the “Apache Way”

Under the Apache Foundation, Groovy has had a bit of rebranding, now being referred to as “Apache Groovy”. Groovy is still classified as “undergoing incubation” as its a newly accepted project:

Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects.

The Foundation says that although incubation status may not be “a reflection of the completeness or stability of the code”, it does mean that the project has yet to be fully endorsed. All projects that join the Foundation via the Apache Incubator are managed and monitored in this fashion.

Author
Natali Vlatko
An Australian who calls Berlin home, via a two year love affair with Singapore. Natali was an Editorial Assistant for JAXenter.com (S&S Media Group).

Leave a Reply

Be the First to Comment!

avatar
400
  Subscribe  
Notify of