Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #8912

Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)

Path csiph.com!eternal-september.org!feeder.eternal-september.org!aioe.org!bofh.it!news.nic.it!robomod
From Markus Koschany <apo@debian.org>
Newsgroups linux.debian.maint.java
Subject Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Date Tue, 01 Mar 2016 16:10:02 +0100
Message-ID <r7U5Y-2ju-21@gated-at.bofh.it> (permalink)
References <r3Scq-4Z3-7@gated-at.bofh.it> <r6r62-44C-7@gated-at.bofh.it> <r7Snw-1ci-9@gated-at.bofh.it>
X-Mailbox-Line From debian-java-request@lists.debian.org Tue Mar 1 15:07:40 2016
Old-Return-Path <apo@debian.org>
X-Amavis-Spam-Status No, score=-10.98 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DIGITS_LETTERS=1, LDO_WHITELIST=-5, MURPHY_DRUGS_REL8=0.02, PGPSIGNATURE=-5, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
X-Policyd-Weight using cached result; rate: -5
User-Agent Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.6.0
MIME-Version 1.0
Content-Type multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Obq8BXTmUBAdlVc2bH3KUI8TMlT0d28rT"
X-Sa-Exim-Scanned No (on richard.fcube.de); SAEximRunCond expanded to false
X-Mailing-List <debian-java@lists.debian.org> archive/latest/19237
List-ID <debian-java.lists.debian.org>
List-URL <https://lists.debian.org/debian-java/>
List-Archive https://lists.debian.org/msgid-search/56D5B022.4010505@debian.org
Approved robomod@news.nic.it
Lines 223
Organization linux.* mail to news gateway
Sender robomod@news.nic.it
X-Original-Cc Stian Soiland-Reyes <stain@apache.org>, debian-java@lists.debian.org
X-Original-Date Tue, 1 Mar 2016 16:07:14 +0100
X-Original-Message-ID <56D5B022.4010505@debian.org>
X-Original-References <CAMBJEmU3hFuN4k7wrnhAgLtQxnCDH0joQO0A_9m=KXeJzA5xkQ@mail.gmail.com> <56D05866.80102@debian.org> <20160301131715.GC15812@frisco.mine.nu>
Xref csiph.com linux.debian.maint.java:8912

Show key headers only | View raw

[Multipart message — attachments visible in raw view] - view raw

Am 01.03.2016 um 14:17 schrieb Sébastien Delafond:
> On Feb/26, Markus Koschany wrote:
>> Am 19.02.2016 um 13:10 schrieb Stian Soiland-Reyes:
>>> Hi,
>>>
>>> BeanShell aka bsh has released a security fix 2.0b6:
>>>
>>> https://github.com/beanshell/beanshell/releases/tag/2.0b6
>>>
>>> It has been reported to MITRE as CVE-2016-2510.
>>
>> Hi Stian,
>>
>> I intend to backport your changes to fix CVE-2016-2510. Looking at the
>> relevant commits, I could condense the changes to create the attached
>> patch. Could you take a look at it and confirm that this is sufficient?
> 
> Hi Markus,
> 
> now that upstream has validated your patch, do you intend to package and
> upload fixed versions for both wheezy- and jessie-security ? In that
> case, I'd be happy to validate both your debdiffs prior to your
> uploading, and then we can release the DSA.
> 

Hi Seb,

Thanks for your assistance. I'm attaching the proposed debdiff for bsh
in Wheezy and Jessie. I can upload anytime.

P.S.: If time permits, please let me know how we should proceed with
Tomcat 6 in Wheezy.

Regards,

Markus

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

bsh (BeanShell) security vulnerability (CVE-2016-2510) Stian Soiland-Reyes <stain@apache.org> - 2016-02-19 13:20 +0100
  Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Emmanuel Bourg <ebourg@apache.org> - 2016-02-19 14:40 +0100
    Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510) Stian Soiland-Reyes <stain@apache.org> - 2016-02-19 17:30 +0100
  Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Markus Koschany <apo@debian.org> - 2016-02-26 15:00 +0100
    Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Stian Soiland-Reyes <stain@apache.org> - 2016-02-29 13:10 +0100
    Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Sébastien Delafond <seb@debian.org> - 2016-03-01 14:20 +0100
      Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Markus Koschany <apo@debian.org> - 2016-03-01 16:10 +0100
        Re: bsh (BeanShell) security vulnerability (CVE-2016-2510) Sébastien Delafond <seb@debian.org> - 2016-03-01 17:10 +0100

csiph-web