Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Stian Soiland-Reyes
stain at apache.org
Fri Feb 19 16:18:40 UTC 2016
Hi, thanks. I agree that this is a general Java issue in any
application using serialization - the vulnerability attack vector
would just move to less common libraries (we point this out in the
release notes).
Also I must admit for me it was a bit confuising at first to learn
about how a scripting language could be used to run arbitrary code -
well that's the point! :-) However the issue could arrise just by
having
bsh.jar on the classpath and doing any other kind of deserialization
from files or the network.
Patrick Niemeyer (CC) did the license change as part of the code
donation to ASF:
https://github.com/beanshell/beanshell/commit/8bac4930744cc62134125263b3e61ef04e296c80
Pat is also part of the https://github.com/beanshell team.
I've added a brief History section to
https://github.com/beanshell/beanshell#history - perhaps Pat want to
review that :)
We changed the groupId for 2.0b5 as it was unclear at the time what
was the relationship with beanshell.org, and also beanshell.org also
had an existing 2.0b5 release under LGPL.
Since Google Code shut down http://apache-extras.org/ as a domain name
has become a bit meaningless, so now org.apache-extras.beanshell is
not a good groupId.
We could probably change the groupId back to org.beanshell and as a
GitHub project take over management of the http://beanshell.org/
website - but there's a bit of legacy to maintain there (e.g. older
releases and Beanshell 1) - so that's up to Pat to decide - perhaps
just a banner pointing to the GitHub page would be enough?
I've added https://github.com/beanshell/beanshell/issues/17 to discuss this.
There is also the fork https://github.com/pejobo/beanshell2 - but
pejobo has also joined https://github.com/beanshell so hopefully his
patches there would move across. (They have to be recontributed by the
original authors as beanshell2 was LGPL)
On 19 February 2016 at 13:32, Emmanuel Bourg <ebourg at apache.org> wrote:
> Hi Stian,
>
> Thank you for the notice. Technically this isn't a vulnerability in bsh
> though, the issue is any application deserializing untrusted data
> without sanitizing it and having bsh on the classpath. I'm not aware of
> such applications in Debian, but if there is one it should be fixed in
> priority instead of playing whac-a-mole with the serialization code in
> the 800+ Java libraries in Debian.
>
> Regarding your fork on GitHub, did you get the authorization from the
> original author (Patrick Niemeyer) to change the license from LGPL-2 to
> Apache-2.0? Also why was the Maven groupId changed from org.beanshell to
> org.apache-extras.beanshell?
>
> Emmanuel Bourg
>
> --
> To unsubscribe, send mail to 700610-unsubscribe at bugs.debian.org.
--
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718
More information about the pkg-java-maintainers
mailing list