Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #8891
| Path | csiph.com!weretis.net!feeder4.news.weretis.net!border2.nntp.ams1.giganews.com!nntp.giganews.com!news.panservice.it!bofh.it!news.nic.it!robomod |
|---|---|
| From | Emmanuel Bourg <ebourg@apache.org> |
| Newsgroups | linux.debian.maint.java, linux.debian.bugs.dist |
| Subject | Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) |
| Date | Fri, 19 Feb 2016 14:40:01 +0100 |
| Message-ID | <r3TrP-5KW-3@gated-at.bofh.it> (permalink) |
| References | <r3Scq-4Z3-7@gated-at.bofh.it> |
| X-Mailbox-Line | From debian-java-request@lists.debian.org Fri Feb 19 13:32:51 2016 |
| Old-Return-Path | <emmanuel.bourg@gmail.com> |
| X-Amavis-Spam-Status | No, score=-7.597 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FOURLA=0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, LDO_WHITELIST=-5, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no |
| X-Policyd-Weight | using cached result; rate: -7 |
| Dkim-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=RmOUSxtmU25Qp2hwTDdVLaRvVQArQUFJSpdF5ezZBds=; b=prWc0dZ0basfNLJAgPlS83UG63DHD14kBkM25rMEjDHVmrNtZ1U3KcKYIFJAaXN/C6 hffpC3zdTazEeYenEA2GTrkHsZULX9p2q/U4qt9CcLIDK51PQNHU+Xg+ZiYDIYXENKbs vPH3snKk2NPSbjxxvE6nZTzinAujMrJ6i7zVQDcG0me32wiYPgUCc5d+XXiaFBScGmuw hnJPF67HzQUFXEj53uhwF/WNFvoqiUH2ieHd2ODmDxIQxaA3GqfR5mJmcYJZZPFjaIzE lf0ppPsOc8oq50XnBk5SPJclQ4jJAg2EVtKs4R9e8a7fpJMjvcNGdZ/jQwpXsy3fyust /8Ww== |
| X-Google-Dkim-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=RmOUSxtmU25Qp2hwTDdVLaRvVQArQUFJSpdF5ezZBds=; b=XKji3yl5uvbdeudGYjaGM+41uokEzZZSvacJiZrj1+oYU0R2DZFdhjSjgUCMm8M6A7 Nh3hlBaOv9JS8QNhI1/xuu8rIm0ah7TxI1acPWvptaKowEy9B1j0phNNVFXKndK6puqC bLQoWZpO5dYOkaYxkSSksrLG8E9IunqDv7uKYyhb/LbBFa8uotb0Z+0HCrOxbw1yX0Bc J0D2EKc3UdtfTQf38764+BfoISLPlYLWE2gb4vF4RezUbXN83TnFAs+M8eGBCeW6uUAk Y9PaMaUZLeUvSAmJHMwpDpnQFWGQYoTLUF15SN9sJw/aJAoXuQux0KuPmbQ2YWLHM7hr tCWw== |
| X-Gm-Message-State | AG10YOTEjmzxyQjPftEwOswZgb1AnDMWZNf+FldSwr6+ahw2PKzCTIS5Ca9M4yyw+l8IPw== |
| X-Received | by 10.28.55.76 with SMTP id e73mr9649411wma.53.1455888742888; Fri, 19 Feb 2016 05:32:22 -0800 (PST) |
| Sender | robomod@news.nic.it |
| X-Enigmail-Draft-Status | N1110 |
| User-Agent | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | 7bit |
| X-Mailing-List | <debian-java@lists.debian.org> archive/latest/19216 |
| List-ID | <debian-java.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-java/> |
| List-Archive | https://lists.debian.org/msgid-search/56C71965.6000101@apache.org |
| Approved | robomod@news.nic.it |
| Lines | 15 |
| Organization | linux.* mail to news gateway |
| X-Original-Date | Fri, 19 Feb 2016 14:32:21 +0100 |
| X-Original-Message-ID | <56C71965.6000101@apache.org> |
| X-Original-References | <CAMBJEmU3hFuN4k7wrnhAgLtQxnCDH0joQO0A_9m=KXeJzA5xkQ@mail.gmail.com> |
| X-Original-Sender | Emmanuel Bourg <emmanuel.bourg@gmail.com> |
| Xref | csiph.com linux.debian.maint.java:8891 linux.debian.bugs.dist:718079 |
Cross-posted to 2 groups.
Show key headers only | View raw
Hi Stian, Thank you for the notice. Technically this isn't a vulnerability in bsh though, the issue is any application deserializing untrusted data without sanitizing it and having bsh on the classpath. I'm not aware of such applications in Debian, but if there is one it should be fixed in priority instead of playing whac-a-mole with the serialization code in the 800+ Java libraries in Debian. Regarding your fork on GitHub, did you get the authorization from the original author (Patrick Niemeyer) to change the license from LGPL-2 to Apache-2.0? Also why was the Maven groupId changed from org.beanshell to org.apache-extras.beanshell? Emmanuel Bourg
Back to linux.debian.maint.java | Previous | Next — Previous in thread | Next in thread | Find similar
bsh (BeanShell) security vulnerability (CVE-2016-2510) Stian Soiland-Reyes <stain@apache.org> - 2016-02-19 13:20 +0100
Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Emmanuel Bourg <ebourg@apache.org> - 2016-02-19 14:40 +0100
Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510) Stian Soiland-Reyes <stain@apache.org> - 2016-02-19 17:30 +0100
Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Markus Koschany <apo@debian.org> - 2016-02-26 15:00 +0100
Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Stian Soiland-Reyes <stain@apache.org> - 2016-02-29 13:10 +0100
Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Sébastien Delafond <seb@debian.org> - 2016-03-01 14:20 +0100
Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Markus Koschany <apo@debian.org> - 2016-03-01 16:10 +0100
Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Sébastien Delafond <seb@debian.org> - 2016-03-01 17:10 +0100
csiph-web