Debian Security Advisory

DLA-443-1 bsh -- LTS security update

Date Reported:
29 Feb 2016
Affected Packages:
bsh
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2016-2510.
More information:

A remote code execution vulnerability was found in BeanShell, an embeddable Java source interpreter with object scripting language features.

  • CVE-2016-2510:

    An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands.

For Debian 6 Squeeze, these problems have been fixed in version 2.0b4-12+deb6u1.

We recommend that you upgrade your bsh packages.