[bsh] 37/50: Release 2.0b4-16
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Wed Nov 29 23:53:13 UTC 2017
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository bsh.
commit 165fc898d2c18a09c7d25c1bc6a78f2d653a7182
Author: Markus Koschany <apo at debian.org>
Date: Sun Feb 28 17:49:15 2016 +0000
Release 2.0b4-16
---
debian/changelog | 14 ++++++++++++
debian/control | 4 ++--
debian/patches/CVE-2016-2510.patch | 44 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
4 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 1798745..8514371 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+bsh (2.0b4-16) unstable; urgency=high
+
+ * Team upload.
+ * Fix CVE-2016-2510.
+ An application that includes BeanShell on the classpath may be vulnerable
+ if another part of the application uses Java serialization or XStream to
+ deserialize data from an untrusted source. A vulnerable application could
+ be exploited for remote code execution, including executing arbitrary shell
+ commands.
+ * Declare compliance with Debian Policy 3.9.7.
+ * Vcs-Browser: Use https.
+
+ -- Markus Koschany <apo at debian.org> Sun, 28 Feb 2016 18:36:28 +0100
+
bsh (2.0b4-15) unstable; urgency=low
* Added the poms missing in the previous upload (Closes: #730008)
diff --git a/debian/control b/debian/control
index db27e06..41fe852 100644
--- a/debian/control
+++ b/debian/control
@@ -14,9 +14,9 @@ Build-Depends: ant,
libservlet3.0-java,
libservlet3.0-java-doc,
maven-repo-helper
-Standards-Version: 3.9.5
+Standards-Version: 3.9.7
Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/bsh
-Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/bsh
+Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-java/trunk/bsh
Homepage: http://www.beanshell.org
Package: bsh
diff --git a/debian/patches/CVE-2016-2510.patch b/debian/patches/CVE-2016-2510.patch
new file mode 100644
index 0000000..a28655e
--- /dev/null
+++ b/debian/patches/CVE-2016-2510.patch
@@ -0,0 +1,44 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 26 Feb 2016 14:24:31 +0100
+Subject: CVE-2016-2510
+
+An application that includes BeanShell on the classpath may be vulnerable if
+another part of the application uses Java serialization or XStream to
+deserialize data from an untrusted source.
+
+A vulnerable application could be exploited for remote code execution,
+including executing arbitrary shell commands.
+
+https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
+https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
+---
+ src/bsh/XThis.java | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/bsh/XThis.java b/src/bsh/XThis.java
+index 3f05974..94bcc22 100644
+--- a/src/bsh/XThis.java
++++ b/src/bsh/XThis.java
+@@ -65,7 +65,7 @@ public class XThis extends This
+ */
+ Hashtable interfaces;
+
+- InvocationHandler invocationHandler = new Handler();
++ transient InvocationHandler invocationHandler = new Handler();
+
+ public XThis( NameSpace namespace, Interpreter declaringInterp ) {
+ super( namespace, declaringInterp );
+@@ -122,8 +122,12 @@ public class XThis extends This
+ classes aren't there (doesn't it?) This class shouldn't be loaded
+ if an XThis isn't instantiated in NameSpace.java, should it?
+ */
+- class Handler implements InvocationHandler, java.io.Serializable
++ class Handler implements InvocationHandler
+ {
++ private Object readResolve() throws ObjectStreamException {
++ throw new NotSerializableException();
++ }
++
+ public Object invoke( Object proxy, Method method, Object[] args )
+ throws Throwable
+ {
diff --git a/debian/patches/series b/debian/patches/series
index ea5057c..16cc052 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
03_target13_buildXml.patch
04_fix_typo.patch
05_link_javadoc.patch
+CVE-2016-2510.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/bsh.git
More information about the pkg-java-commits
mailing list