Path: csiph.com!weretis.net!feeder4.news.weretis.net!border2.nntp.ams1.giganews.com!nntp.giganews.com!news.panservice.it!bofh.it!news.nic.it!robomod
From: Emmanuel Bourg <ebourg@apache.org>
Newsgroups: linux.debian.maint.java,linux.debian.bugs.dist
Subject: Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Date: Fri, 19 Feb 2016 14:40:01 +0100
Message-ID: <r3TrP-5KW-3@gated-at.bofh.it>
References: <r3Scq-4Z3-7@gated-at.bofh.it>
X-Mailbox-Line: From debian-java-request@lists.debian.org  Fri Feb 19 13:32:51 2016
Old-Return-Path: <emmanuel.bourg@gmail.com>
X-Amavis-Spam-Status: No, score=-7.597 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FOURLA=0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, LDO_WHITELIST=-5, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
X-Policyd-Weight: using cached result; rate: -7
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:subject:to:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=RmOUSxtmU25Qp2hwTDdVLaRvVQArQUFJSpdF5ezZBds=; b=prWc0dZ0basfNLJAgPlS83UG63DHD14kBkM25rMEjDHVmrNtZ1U3KcKYIFJAaXN/C6 hffpC3zdTazEeYenEA2GTrkHsZULX9p2q/U4qt9CcLIDK51PQNHU+Xg+ZiYDIYXENKbs vPH3snKk2NPSbjxxvE6nZTzinAujMrJ6i7zVQDcG0me32wiYPgUCc5d+XXiaFBScGmuw hnJPF67HzQUFXEj53uhwF/WNFvoqiUH2ieHd2ODmDxIQxaA3GqfR5mJmcYJZZPFjaIzE lf0ppPsOc8oq50XnBk5SPJclQ4jJAg2EVtKs4R9e8a7fpJMjvcNGdZ/jQwpXsy3fyust /8Ww==
X-Google-Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:subject:to:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=RmOUSxtmU25Qp2hwTDdVLaRvVQArQUFJSpdF5ezZBds=; b=XKji3yl5uvbdeudGYjaGM+41uokEzZZSvacJiZrj1+oYU0R2DZFdhjSjgUCMm8M6A7 Nh3hlBaOv9JS8QNhI1/xuu8rIm0ah7TxI1acPWvptaKowEy9B1j0phNNVFXKndK6puqC bLQoWZpO5dYOkaYxkSSksrLG8E9IunqDv7uKYyhb/LbBFa8uotb0Z+0HCrOxbw1yX0Bc J0D2EKc3UdtfTQf38764+BfoISLPlYLWE2gb4vF4RezUbXN83TnFAs+M8eGBCeW6uUAk Y9PaMaUZLeUvSAmJHMwpDpnQFWGQYoTLUF15SN9sJw/aJAoXuQux0KuPmbQ2YWLHM7hr tCWw==
X-Gm-Message-State: AG10YOTEjmzxyQjPftEwOswZgb1AnDMWZNf+FldSwr6+ahw2PKzCTIS5Ca9M4yyw+l8IPw==
X-Received: by 10.28.55.76 with SMTP id e73mr9649411wma.53.1455888742888; Fri, 19 Feb 2016 05:32:22 -0800 (PST)
Sender: robomod@news.nic.it
X-Enigmail-Draft-Status: N1110
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Mailing-List: <debian-java@lists.debian.org> archive/latest/19216
List-ID: <debian-java.lists.debian.org>
List-URL: <https://lists.debian.org/debian-java/>
List-Archive: https://lists.debian.org/msgid-search/56C71965.6000101@apache.org
Approved: robomod@news.nic.it
Lines: 15
Organization: linux.* mail to news gateway
X-Original-Date: Fri, 19 Feb 2016 14:32:21 +0100
X-Original-Message-ID: <56C71965.6000101@apache.org>
X-Original-References: <CAMBJEmU3hFuN4k7wrnhAgLtQxnCDH0joQO0A_9m=KXeJzA5xkQ@mail.gmail.com>
X-Original-Sender: Emmanuel Bourg <emmanuel.bourg@gmail.com>
Xref: csiph.com linux.debian.maint.java:8891 linux.debian.bugs.dist:718079

Hi Stian,

Thank you for the notice. Technically this isn't a vulnerability in bsh
though, the issue is any application deserializing untrusted data
without sanitizing it and having bsh on the classpath. I'm not aware of
such applications in Debian, but if there is one it should be fixed in
priority instead of playing whac-a-mole with the serialization code in
the 800+ Java libraries in Debian.

Regarding your fork on GitHub, did you get the authorization from the
original author (Patrick Niemeyer) to change the license from LGPL-2 to
Apache-2.0? Also why was the Maven groupId changed from org.beanshell to
org.apache-extras.beanshell?

Emmanuel Bourg