From ${URL} : An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands. External references: https://github.com/beanshell/beanshell/releases/tag/2.0b6 Upstream patches: https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49 https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
commit 9c796dcc0d36ed7a9795f7b154fe6ab4964a8529 (HEAD -> master, origin/master, origin/HEAD) Author: Patrice Clement <monsieurp@gentoo.org> Date: Tue Feb 23 16:29:55 2016 +0000 dev-java/bsh: Version bump. Fixes security bug 575482. Whilst at it, this commit also bumps the ebuild to EAPI version 5. Package-Manager: portage-2.2.26 Signed-off-by: Patrice Clement <monsieurp@gentoo.org> dev-java/bsh/Manifest | 1 + dev-java/bsh/bsh-2.0_beta4-r4.ebuild | 2 +- dev-java/bsh/bsh-2.0_beta6.ebuild | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 dev-java/bsh/bsh-2.0_beta6.ebuild Arch teams, Please stabilise: dev-java/bsh/bsh-2.0_beta6 Target arches: amd64 ppc64 x86 Thank you.
amd64 stable
commit 1e540757694cacf45317bdd687d3c33d96827194 (HEAD -> master) Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: Tue Mar 15 09:49:45 2016 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Tue Mar 15 09:49:45 2016 +0000 dev-java/bsh: Stable for ppc64+x86. Fixes security bug 575482. As per IRC discussion with Agostino. Package-Manager: portage-2.2.26 dev-java/bsh/bsh-2.0_beta6.ebuild | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-)
commit 666ad6d66632323fa4444badf35988038aaf01fa (HEAD -> master) Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: Tue Mar 15 09:52:51 2016 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Tue Mar 15 09:53:18 2016 +0000 dev-java/bsh: Clean up vulnerable version. Fixes security bug 575482. Package-Manager: portage-2.2.26 dev-java/bsh/Manifest | 2 -- dev-java/bsh/bsh-2.0_beta4-r4.ebuild | 68 --------------------------------------------------------- dev-java/bsh/files/bsh2-readline.patch | 151 ------------------------------------------------------------------------------------------------------------------------------ dev-java/bsh/files/bsh2.0b4-build.patch | 53 -------------------------------------------- 4 files changed, 274 deletions(-) delete mode 100644 dev-java/bsh/bsh-2.0_beta4-r4.ebuild delete mode 100644 dev-java/bsh/files/bsh2-readline.patch delete mode 100644 dev-java/bsh/files/bsh2.0b4-build.patch Security team, please vote.
GLSA request opened.
This issue was resolved and addressed in GLSA 201607-17 at https://security.gentoo.org/glsa/201607-17 by GLSA coordinator Aaron Bauman (b-man).