#700610 bsh: Beanshell fork available

#700610#5
Date:
2013-02-15 08:53:29 UTC
From:
To:
Hi

There's a beanshell fork available on google code:
http://code.google.com/p/beanshell2/

Please consider using these newer version as beanshell (from beanshell.org) hasn't received an update since 2005.

Thanks,
Tom

#700610#10
Date:
2015-01-30 13:03:08 UTC
From:
To:
There is also https://code.google.com/a/apache-extras.org/p/beanshell/
according to which, "This is the new home of the BeanShell scripting language."
They have released a version 2.0b5

#700610#15
Date:
2016-02-19 12:13:02 UTC
From:
To:
Hi,

BeanShell aka bsh has released a security fix 2.0b6:

https://github.com/beanshell/beanshell/releases/tag/2.0b6

It has been reported to MITRE as CVE-2016-2510.


This might be a good time to address
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700610

and update sid to use the new upstream home of
https://github.com/beanshell/beanshell
(transitioned from apache-extras)


Note that since 2.0b5 the license has changed to Apache License.

2.0b5 should be functionally equivalent to 2.0b4 except the license change.


If you want to backport only the security fix for 2.0b4 jessie, see
https://github.com/beanshell/beanshell/commits/2.0b6

specifically these two commits:

https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49

https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced

#700610#20
Date:
2016-02-19 13:32:21 UTC
From:
To:
Hi Stian,

Thank you for the notice. Technically this isn't a vulnerability in bsh
though, the issue is any application deserializing untrusted data
without sanitizing it and having bsh on the classpath. I'm not aware of
such applications in Debian, but if there is one it should be fixed in
priority instead of playing whac-a-mole with the serialization code in
the 800+ Java libraries in Debian.

Regarding your fork on GitHub, did you get the authorization from the
original author (Patrick Niemeyer) to change the license from LGPL-2 to
Apache-2.0? Also why was the Maven groupId changed from org.beanshell to
org.apache-extras.beanshell?

Emmanuel Bourg

#700610#25
Date:
2016-02-19 16:18:40 UTC
From:
To:
 Hi, thanks. I agree that this is a general Java issue in any
application using serialization - the vulnerability attack vector
would just move to less common libraries (we point this out in the
release notes).
Also I must admit for me it was a bit confuising at first to learn
about how a scripting language could be used to run arbitrary code -
well that's the point! :-)  However the issue could arrise just by
having
bsh.jar on the classpath and doing any other kind of deserialization
from files or the network.


Patrick Niemeyer (CC) did the license change as part of the code
donation to ASF:
https://github.com/beanshell/beanshell/commit/8bac4930744cc62134125263b3e61ef04e296c80

Pat is also part of the https://github.com/beanshell team.

I've added a brief History section to
https://github.com/beanshell/beanshell#history - perhaps Pat want to
review that :)



We changed the groupId for 2.0b5 as it was unclear at the time what
was the relationship with beanshell.org, and also beanshell.org also
had an existing 2.0b5 release under LGPL.

Since Google Code shut down http://apache-extras.org/ as a domain name
has become a bit meaningless, so now org.apache-extras.beanshell is
not a good groupId.

We could probably change the groupId back to org.beanshell and as a
GitHub project take over management of the http://beanshell.org/
website - but there's a bit of legacy to maintain there (e.g. older
releases and Beanshell 1) - so that's up to Pat to decide - perhaps
just a banner pointing to the GitHub page would be enough?

I've added https://github.com/beanshell/beanshell/issues/17 to discuss this.

There is also the fork https://github.com/pejobo/beanshell2 - but
pejobo has also joined https://github.com/beanshell so hopefully his
patches there would move across. (They have to be recontributed by the
original authors as beanshell2 was LGPL)

#700610#30
Date:
2022-02-22 22:32:49 UTC
From:
To:
Dear maintainers,

there was published a new release of BeanShell 14 months ago. You can find
the sources of version 2.1.0 on GitHub at

https://github.com/beanshell/beanshell/releases/tag/2.1.0

The new version has not been published on Maven though (where versions
from 2.0b4 to 2.0b6 are still the newest releases), but this is explained
on GitHub at https://github.com/beanshell/beanshell/issues/603 .
Anyway, version 2.1.0 is an official release linked from
https://www.beanshell.org/download.html and there is also stated that
version 2.0b4 is now merely a legacy release.

What do you think, wouldn't it be time for an update in Debian?

Best regards,

Thomas Uhle

#700610#35
Date:
2022-02-22 23:21:24 UTC
From:
To:
The comment
reads for me more like a “maybe remove it instead…”.

Honestly though, if it’s not available in Central, upstreams will
not use it and stick to old beta versions. If Debian has a newer
one, which may be incompatible, we’re inviting problems.

bye,
//mirabilos

#700610#40
Date:
2022-02-25 21:33:56 UTC
From:
To:
That might be true although the BeanShell developers claim in their
announcment of version 2.1.0 to be backward compatible with version 2.0b6,
and only suitable backports from the upcoming version 3.0 of BeanShell
have made it into version 2.1.0.  But even then Debian could move on to
version 2.0b6 at least.  It is the latest version of BeanShell on Maven
Central.

Perhaps we might have a better picture after a look at other Linux
distributions.  Arch, Fedora and Mageia for instance already have version
2.1.0 onboard whereas Gentoo, OpenMandriva, openSUSE and Red Hat stay with
version 2.0b6 (... to name just a few).  So it is quite mixed.  But I
haven't seen any Linux distribution so far (apart from those derived from
Debian like Linux Mint, Ubuntu, etc.) that still have version 2.0b4.
It seems that both decisions (either to update to version 2.1.0 or to
version 2.0b6) are reasonable.

Best regards,

Thomas Uhle