This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository bsh.
commit 165fc898d2c18a09c7d25c1bc6a78f2d653a7182 Author: Markus Koschany <a...@debian.org> Date: Sun Feb 28 17:49:15 2016 +0000 Release 2.0b4-16 --- debian/changelog | 14 ++++++++++++ debian/control | 4 ++-- debian/patches/CVE-2016-2510.patch | 44 ++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 61 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 1798745..8514371 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +bsh (2.0b4-16) unstable; urgency=high + + * Team upload. + * Fix CVE-2016-2510. + An application that includes BeanShell on the classpath may be vulnerable + if another part of the application uses Java serialization or XStream to + deserialize data from an untrusted source. A vulnerable application could + be exploited for remote code execution, including executing arbitrary shell + commands. + * Declare compliance with Debian Policy 3.9.7. + * Vcs-Browser: Use https. + + -- Markus Koschany <a...@debian.org> Sun, 28 Feb 2016 18:36:28 +0100 + bsh (2.0b4-15) unstable; urgency=low * Added the poms missing in the previous upload (Closes: #730008) diff --git a/debian/control b/debian/control index db27e06..41fe852 100644 --- a/debian/control +++ b/debian/control @@ -14,9 +14,9 @@ Build-Depends: ant, libservlet3.0-java, libservlet3.0-java-doc, maven-repo-helper -Standards-Version: 3.9.5 +Standards-Version: 3.9.7 Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/bsh -Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/bsh +Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-java/trunk/bsh Homepage: http://www.beanshell.org Package: bsh diff --git a/debian/patches/CVE-2016-2510.patch b/debian/patches/CVE-2016-2510.patch new file mode 100644 index 0000000..a28655e --- /dev/null +++ b/debian/patches/CVE-2016-2510.patch @@ -0,0 +1,44 @@ +From: Markus Koschany <a...@debian.org> +Date: Fri, 26 Feb 2016 14:24:31 +0100 +Subject: CVE-2016-2510 + +An application that includes BeanShell on the classpath may be vulnerable if +another part of the application uses Java serialization or XStream to +deserialize data from an untrusted source. + +A vulnerable application could be exploited for remote code execution, +including executing arbitrary shell commands. + +https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49 +https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced +--- + src/bsh/XThis.java | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/bsh/XThis.java b/src/bsh/XThis.java +index 3f05974..94bcc22 100644 +--- a/src/bsh/XThis.java ++++ b/src/bsh/XThis.java +@@ -65,7 +65,7 @@ public class XThis extends This + */ + Hashtable interfaces; + +- InvocationHandler invocationHandler = new Handler(); ++ transient InvocationHandler invocationHandler = new Handler(); + + public XThis( NameSpace namespace, Interpreter declaringInterp ) { + super( namespace, declaringInterp ); +@@ -122,8 +122,12 @@ public class XThis extends This + classes aren't there (doesn't it?) This class shouldn't be loaded + if an XThis isn't instantiated in NameSpace.java, should it? + */ +- class Handler implements InvocationHandler, java.io.Serializable ++ class Handler implements InvocationHandler + { ++ private Object readResolve() throws ObjectStreamException { ++ throw new NotSerializableException(); ++ } ++ + public Object invoke( Object proxy, Method method, Object[] args ) + throws Throwable + { diff --git a/debian/patches/series b/debian/patches/series index ea5057c..16cc052 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ 03_target13_buildXml.patch 04_fix_typo.patch 05_link_javadoc.patch +CVE-2016-2510.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/bsh.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits