Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)

To: Markus Koschany <apo@debian.org>
Cc: Stian Soiland-Reyes <stain@apache.org>, team@security.debian.org, debian-java@lists.debian.org
Subject: Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)
From: Sébastien Delafond <seb@debian.org>
Date: Tue, 1 Mar 2016 14:17:15 +0100
Message-id: <[🔎] 20160301131715.GC15812@frisco.mine.nu>
In-reply-to: <56D05866.80102@debian.org>
References: <CAMBJEmU3hFuN4k7wrnhAgLtQxnCDH0joQO0A_9m=KXeJzA5xkQ@mail.gmail.com> <56D05866.80102@debian.org>

On Feb/26, Markus Koschany wrote:
> Am 19.02.2016 um 13:10 schrieb Stian Soiland-Reyes:
> > Hi,
> > 
> > BeanShell aka bsh has released a security fix 2.0b6:
> > 
> > https://github.com/beanshell/beanshell/releases/tag/2.0b6
> > 
> > It has been reported to MITRE as CVE-2016-2510.
> 
> Hi Stian,
> 
> I intend to backport your changes to fix CVE-2016-2510. Looking at the
> relevant commits, I could condense the changes to create the attached
> patch. Could you take a look at it and confirm that this is sufficient?

Hi Markus,

now that upstream has validated your patch, do you intend to package and
upload fixed versions for both wheezy- and jessie-security ? In that
case, I'd be happy to validate both your debdiffs prior to your
uploading, and then we can release the DSA.

Cheers,

--Seb

Reply to:

Follow-Ups:
- Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)
  - From: Markus Koschany <apo@debian.org>

Next by Date: Maven 3.3 backport
Next by thread: Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Index(es):
- Date
- Thread