Bug#700610: bsh (BeanShell) security vulnerability (CVE-2016-2510)
Thomas Uhle
thomas.uhle at mailbox.tu-dresden.de
Fri Feb 25 21:33:56 GMT 2022
On Wed, 23 Feb 2022, Thorsten Glaser wrote:
> On Tue, 22 Feb 2022, Thomas Uhle wrote:
>
> > What do you think, wouldn't it be time for an update in Debian?
>
> The comment
> > at https://github.com/beanshell/beanshell/issues/603 .
> reads for me more like a “maybe remove it instead…”.
>
> Honestly though, if it’s not available in Central, upstreams will
> not use it and stick to old beta versions. If Debian has a newer
> one, which may be incompatible, we’re inviting problems.
That might be true although the BeanShell developers claim in their
announcment of version 2.1.0 to be backward compatible with version 2.0b6,
and only suitable backports from the upcoming version 3.0 of BeanShell
have made it into version 2.1.0. But even then Debian could move on to
version 2.0b6 at least. It is the latest version of BeanShell on Maven
Central.
Perhaps we might have a better picture after a look at other Linux
distributions. Arch, Fedora and Mageia for instance already have version
2.1.0 onboard whereas Gentoo, OpenMandriva, openSUSE and Red Hat stay with
version 2.0b6 (... to name just a few). So it is quite mixed. But I
haven't seen any Linux distribution so far (apart from those derived from
Debian like Linux Mint, Ubuntu, etc.) that still have version 2.0b4.
It seems that both decisions (either to update to version 2.1.0 or to
version 2.0b6) are reasonable.
Best regards,
Thomas Uhle
More information about the pkg-java-maintainers
mailing list