[pkg-java] r19004 - in trunk/bsh/debian: . patches

Markus Koschany apo-guest at moszumanska.debian.org
Sun Feb 28 17:49:15 GMT 2016 

Author: apo-guest
Date: 2016-02-28 17:49:15 +0000 (Sun, 28 Feb 2016)
New Revision: 19004

Added:
   trunk/bsh/debian/patches/CVE-2016-2510.patch
Modified:
   trunk/bsh/debian/changelog
   trunk/bsh/debian/control
   trunk/bsh/debian/patches/series
Log:
Release 2.0b4-16


Modified: trunk/bsh/debian/changelog
===================================================================
--- trunk/bsh/debian/changelog	2016-02-27 09:26:51 UTC (rev 19003)
+++ trunk/bsh/debian/changelog	2016-02-28 17:49:15 UTC (rev 19004)
@@ -1,3 +1,17 @@
+bsh (2.0b4-16) unstable; urgency=high
+
+  * Team upload.
+  * Fix CVE-2016-2510.
+    An application that includes BeanShell on the classpath may be vulnerable
+    if another part of the application uses Java serialization or XStream to
+    deserialize data from an untrusted source. A vulnerable application could
+    be exploited for remote code execution, including executing arbitrary shell
+    commands.
+  * Declare compliance with Debian Policy 3.9.7.
+  * Vcs-Browser: Use https.
+
+ -- Markus Koschany <apo at debian.org>  Sun, 28 Feb 2016 18:36:28 +0100
+
 bsh (2.0b4-15) unstable; urgency=low
 
   * Added the poms missing in the previous upload (Closes: #730008)

Modified: trunk/bsh/debian/control
===================================================================
--- trunk/bsh/debian/control	2016-02-27 09:26:51 UTC (rev 19003)
+++ trunk/bsh/debian/control	2016-02-28 17:49:15 UTC (rev 19004)
@@ -14,9 +14,9 @@
                libservlet3.0-java,
                libservlet3.0-java-doc,
                maven-repo-helper
-Standards-Version: 3.9.5
+Standards-Version: 3.9.7
 Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/bsh
-Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/bsh
+Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-java/trunk/bsh
 Homepage: http://www.beanshell.org
 
 Package: bsh

Added: trunk/bsh/debian/patches/CVE-2016-2510.patch
===================================================================
--- trunk/bsh/debian/patches/CVE-2016-2510.patch	                        (rev 0)
+++ trunk/bsh/debian/patches/CVE-2016-2510.patch	2016-02-28 17:49:15 UTC (rev 19004)
@@ -0,0 +1,44 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 26 Feb 2016 14:24:31 +0100
+Subject: CVE-2016-2510
+
+An application that includes BeanShell on the classpath may be vulnerable if
+another part of the application uses Java serialization or XStream to
+deserialize data from an untrusted source.
+
+A vulnerable application could be exploited for remote code execution,
+including executing arbitrary shell commands.
+
+https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
+https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
+---
+ src/bsh/XThis.java | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/bsh/XThis.java b/src/bsh/XThis.java
+index 3f05974..94bcc22 100644
+--- a/src/bsh/XThis.java
++++ b/src/bsh/XThis.java
+@@ -65,7 +65,7 @@ public class XThis extends This
+ 	*/
+ 	Hashtable interfaces;
+ 
+-	InvocationHandler invocationHandler = new Handler();
++	transient InvocationHandler invocationHandler = new Handler();
+ 
+ 	public XThis( NameSpace namespace, Interpreter declaringInterp ) { 
+ 		super( namespace, declaringInterp ); 
+@@ -122,8 +122,12 @@ public class XThis extends This
+ 		classes aren't there (doesn't it?)  This class shouldn't be loaded
+ 		if an XThis isn't instantiated in NameSpace.java, should it?
+ 	*/
+-	class Handler implements InvocationHandler, java.io.Serializable 
++	class Handler implements InvocationHandler
+ 	{
++		private Object readResolve() throws ObjectStreamException {
++			throw new NotSerializableException();
++		}
++
+ 		public Object invoke( Object proxy, Method method, Object[] args ) 
+ 			throws Throwable
+ 		{

Modified: trunk/bsh/debian/patches/series
===================================================================
--- trunk/bsh/debian/patches/series	2016-02-27 09:26:51 UTC (rev 19003)
+++ trunk/bsh/debian/patches/series	2016-02-28 17:49:15 UTC (rev 19004)
@@ -3,3 +3,4 @@
 03_target13_buildXml.patch
 04_fix_typo.patch
 05_link_javadoc.patch
+CVE-2016-2510.patch

More information about the pkg-java-commits mailing list