Bugzilla – Bug 967593
VUL-0: CVE-2016-2510: bsh2: remote code execution vulnerability via deserialization
Last modified: 2016-04-19 09:34:16 UTC
New beanshell release 2.0b6 fixes a remote code execution vulnerability. https://github.com/beanshell/beanshell/releases/tag/2.0b6 This affects only SDK releases. Released with products: * sle-sdk 11.0 (L3: false) * sle-sdk 11.1 (L3: false) * sle-sdk 11.2 (L3: false) * sle-sdk 11.3 (L3: false) * sle-sdk 11.4 (L3: false) * sle-sdk 12.0 (L3: false) * sle-sdk 12.1 (L3: false) Upstream Patches: https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49 https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced CVE-2016-2510 was assigned to this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2510 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2510.html
And affects openSUSE 13.2 and Leap 42.1.
Update sent to Factory.
This is an autogenerated message for OBS integration: This bug (967593) was mentioned in https://build.opensuse.org/request/show/361161 Factory / bsh2
All submissions hopefully done, openSUSE release inherits from sle12.
opensuse 13.2 still missing. (leap gets it from sles12 sp1, yes) is bsh (no 2) also affected?
SUSE-SU-2016:0699-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 967593 CVE References: CVE-2016-2510 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): bsh2-2.0-318.1
SUSE-SU-2016:0700-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 967593 CVE References: CVE-2016-2510 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): bsh2-2.0.0.b5-3.2 SUSE Linux Enterprise Software Development Kit 12 (src): bsh2-2.0.0.b5-3.2
(In reply to Marcus Meissner from comment #6) > opensuse 13.2 still missing. (leap gets it from sles12 sp1, yes) > Will ammend, missed that :) > is bsh (no 2) also affected? No idea the codebase is completely different, if nothing depends on bsh we could even remove it?
This is an autogenerated message for OBS integration: This bug (967593) was mentioned in https://build.opensuse.org/request/show/369492 13.2 / bsh2
i think we got all submissions. i dont care much about bsh, you can drop it from factory I think if its not needed
openSUSE-SU-2016:0788-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 967593 CVE References: CVE-2016-2510 Sources used: openSUSE Leap 42.1 (src): bsh2-2.0.0.b5-30.1
openSUSE-SU-2016:0833-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 967593 CVE References: CVE-2016-2510 Sources used: openSUSE 13.2 (src): bsh2-2.0.0.b6-27.3.1