Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)

To: Stian Soiland-Reyes <stain@apache.org>, team@security.debian.org, debian-java@lists.debian.org, 700610@bugs.debian.org
Subject: Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)
From: Emmanuel Bourg <ebourg@apache.org>
Date: Fri, 19 Feb 2016 14:32:21 +0100
Message-id: <[🔎] 56C71965.6000101@apache.org>
In-reply-to: <[🔎] CAMBJEmU3hFuN4k7wrnhAgLtQxnCDH0joQO0A_9m=KXeJzA5xkQ@mail.gmail.com>
References: <[🔎] CAMBJEmU3hFuN4k7wrnhAgLtQxnCDH0joQO0A_9m=KXeJzA5xkQ@mail.gmail.com>

Hi Stian,

Thank you for the notice. Technically this isn't a vulnerability in bsh
though, the issue is any application deserializing untrusted data
without sanitizing it and having bsh on the classpath. I'm not aware of
such applications in Debian, but if there is one it should be fixed in
priority instead of playing whac-a-mole with the serialization code in
the 800+ Java libraries in Debian.

Regarding your fork on GitHub, did you get the authorization from the
original author (Patrick Niemeyer) to change the license from LGPL-2 to
Apache-2.0? Also why was the Maven groupId changed from org.beanshell to
org.apache-extras.beanshell?

Emmanuel Bourg

Reply to:

Follow-Ups:
- Re: Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510)
  - From: Stian Soiland-Reyes <stain@apache.org>

References:
- bsh (BeanShell) security vulnerability (CVE-2016-2510)
  - From: Stian Soiland-Reyes <stain@apache.org>

Prev by Date: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Next by Date: Re: Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Previous by thread: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Next by thread: Re: Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Index(es):
- Date
- Thread