Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12352

Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510)

From Thomas Uhle <thomas.uhle@mailbox.tu-dresden.de>
Newsgroups linux.debian.bugs.dist, linux.debian.maint.java
Subject Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Date 2022-02-25 22:40 +0100
Message-ID <DUQtH-4koS-13@gated-at.bofh.it> (permalink)
References (2 earlier) <r3VWG-7Ih-17@gated-at.bofh.it> <DTMit-3FsZ-15@gated-at.bofh.it> <DTMLv-3FSS-3@gated-at.bofh.it> <kDpsR-n9-3@gated-at.bofh.it> <DTMLv-3FSS-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Cross-posted to 2 groups.

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

On Wed, 23 Feb 2022, Thorsten Glaser wrote:

> On Tue, 22 Feb 2022, Thomas Uhle wrote:
>
> > What do you think, wouldn't it be time for an update in Debian?
>
> The comment
> > at https://github.com/beanshell/beanshell/issues/603 .
> reads for me more like a “maybe remove it instead…”.
>
> Honestly though, if it’s not available in Central, upstreams will
> not use it and stick to old beta versions. If Debian has a newer
> one, which may be incompatible, we’re inviting problems.

That might be true although the BeanShell developers claim in their 
announcment of version 2.1.0 to be backward compatible with version 2.0b6, 
and only suitable backports from the upcoming version 3.0 of BeanShell 
have made it into version 2.1.0.  But even then Debian could move on to 
version 2.0b6 at least.  It is the latest version of BeanShell on Maven 
Central.

Perhaps we might have a better picture after a look at other Linux 
distributions.  Arch, Fedora and Mageia for instance already have version 
2.1.0 onboard whereas Gentoo, OpenMandriva, openSUSE and Red Hat stay with 
version 2.0b6 (... to name just a few).  So it is quite mixed.  But I 
haven't seen any Linux distribution so far (apart from those derived from 
Debian like Linux Mint, Ubuntu, etc.) that still have version 2.0b4.
It seems that both decisions (either to update to version 2.1.0 or to 
version 2.0b6) are reasonable.

Best regards,

Thomas Uhle

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Find similar

Thread

Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510) Thomas Uhle <thomas.uhle@mailbox.tu-dresden.de> - 2022-02-23 00:00 +0100
  Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510) Thorsten Glaser <t.glaser@tarent.de> - 2022-02-23 00:40 +0100
    Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510) Thomas Uhle <thomas.uhle@mailbox.tu-dresden.de> - 2022-02-25 22:40 +0100

csiph-web