Skip to content

@stain stain released this Feb 5, 2016 · 760 commits to master since this release

BeanShell 2.0b6 is a security update that is functionally equivalent to the previous version 2.0b5.

No other functionality has changed since 2.0b5, but this is a recommended update for all BeanShell users, as it fixes a remote code execution vulnerability.

Security fix (CVE-2016-2510)

This release fixes a remote code execution vulnerability that was identified in BeanShell by Alvaro Muñoz and Christian Schneider. The BeanShell team would like to thank them for their help and contributions to this fix!

An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source.

A vulnerable application could be exploited for remote code execution, including executing arbitrary shell commands.

This update fixes the vulnerability in BeanShell, but it is worth noting that applications doing such deserialization might still be insecure through other libraries. It is recommended that application developers take further measures such as using a restricted class loader when deserializing. See notes on Java serialization security, XStream security and How to secure deserialization from untrusted input without using encryption or sealing.

A MITRE CVE number has been reserved: CVE-2016-2510

License

BeanShell is licensed under the Apache License, version 2.0. See the file LICENSE for details, and the NOTICE file for required attributions.

Download

SHA1 checksums for this release:

fb418f9b33a0b951e9a2978b4b6ee93b2707e72f  bsh-2.0b6.jar
275c867ca3aabc509d0a58ddf0bbd184bdcd38c8  bsh-bsf-2.0b6.jar
4b06123a1ef1bd4902a0f98e726d031e464a624f  bsh-classgen-2.0b6.jar
43f16d2f87254bf1c070f59be3bf87eeaf586f5b  bsh-classpath-2.0b6.jar
89e20b12ef604103a4b8b7854ece29659ea34103  bsh-commands-2.0b6.jar
67504d1544d29e17fa3e81b08fe045296264f48f  bsh-core-2.0b6.jar
aaae80a54fe32c7c5cb616b5d577890fb8d9cbe6  bsh-engine-2.0b6.jar
b7586bb3a7e2adfe1b6090625a886da8bd252369  bsh-reflect-2.0b6.jar
ede153857e4438b092c69db93c9c07cd4071cf1d  bsh-util-2.0b6.jar
7336b2d1ace24214b557993a66ec99636eee2318  bsh-2.0b6-javadoc.zip
76497846de1f3d2ef438d79e31328107658d10be  bsh-2.0b6-src.zip
ef6b86a126ae192d8639af6f5b3dbe5d4c6d7dde  bsh-2.0b6.pom

sha512:

a39321a99a8a619a48b65752f6ee6b8f11d3b28ebb051082ec70a70a0d5041e83d144378df191929e3d6562bd5ee4c4f1ccadb0ba42055529d18800a41d8ae18  bsh-2.0b6.jar
fbbff46b0248fa668e32cf42214e7e66d4fe2ad6bc29834a769e933c855461dc5fa8ff34a0c7f8551d1fd216f9321949fdf98a7e5f0ea31237201dcfdb8bc4a4  bsh-bsf-2.0b6.jar
670fdf60ea81d6ed82aea235b9bb34b699ba8bcf24bdff84de7b8428759aecbac21685057688808fe5c88bddcd6a11269a3c4208ea3b518957f9abfe876530f2  bsh-classgen-2.0b6.jar
d7eeeab6287c4473ec8ea6bdef7c5fe4b688e6065f04b6921335ffed6e85a05a4ac82846fbfec55714c33e28cbe488e610f7eb7eb4629843f597af00b0375380  bsh-classpath-2.0b6.jar
59ac6b109aa38c68094e720f6c44bc0b286d06085cfcdc67fda093dc2afdce286689d618c3010a312b428d57941255e2607dd097f718d848c6249c3c79c7b774  bsh-commands-2.0b6.jar
cba855e8dacc2322d25dc153639afcf3c14dc4428797add76847868c3e73f0accc5ed68f95af4ac2b42084474bdabc4944f79297060c7636154fa07ceff33cc3  bsh-core-2.0b6.jar
a4abf59778dc10230acf89cb0e3b395fedbc3998392ab3278de158f0881c98e08aa48286d0241f897cc1c17fbdd0b656c0f98ee36d1e736a31c5c2106470daf9  bsh-engine-2.0b6.jar
f99ea38314eb5c9834abbc3e7134e4b770b87fee7b4827dd50635907eee0cd3df0e80a526280699848a5f0dcb23bc715818164d466f199b04167aed86e823864  bsh-reflect-2.0b6.jar
d758c743632d659e97d21773d97b0da22906ae29ab10792ec7a7969a0bc532f500caeeb23c1dba786b84c4b8d22946e00dbb500c41d346d85de333564f77d8fc  bsh-util-2.0b6.jar
8632a8f59dd8cf87eece6d84ca3c883952b6e40d3f0038b48967c708f9cc7731b978f675284a47e2ca616832615956e67d879f0c6108be462d4447a2d575789c  bsh-2.0b6-javadoc.zip
a04eca6a57807358bd4f8d017a2eeaa58403ef51fab11fc46ab089113a0ff5f66aaa793d3fc57b484334cbf51ed388a90d8d72d1e5819c8248cc0113ac928a77  bsh-2.0b6-src.zip
52f4d03510691259ee13799726ee18b31255dbfdef1b46ff3b82e7fc065021d0b391772804b201380366c2cbd23392f6ec1ba50d9d5cf15c9becaae331fba1c6  bsh-2.0b6.pom

This release is also distributed to Maven Central. Usage:

    <dependencies>
       <dependency>
         <groupId>org.apache-extras.beanshell</groupId>
         <artifactId>bsh</artifactId>
         <version>2.0b6</version>
       </dependency>
    </dependencies>

Alternatively you can use
our BinTray Maven repository or
JCenter:

<!-- just beanshell -->
<repository>
  <id>bintray-beanshell-Beanshell</id>
  <name>bintray</name>
  <url>http://dl.bintray.com/beanshell/Beanshell</url>
  <snapshots><enabled>false</enabled></snapshots>
</repository>
<!-- or use JCenter -->
<repository>
  <id>central</id>
  <name>bintray</name>
  <url>http://jcenter.bintray.com</url>
  <snapshots><enabled>false</enabled></snapshots>
</repository>

User interface

To execute the Beanshell user interface, either double-click the JAR file, or run it with:

java -jar bsh-2.0b6.jar 

You will need Java 5 or later installed. Note that there is a bug (#4) which may cause a hang, preventing the user interface from running with Java 8.

Assets 16
Nov 7, 2014
Fix issue-8: warning: [deprecation] toURL() in File has been deprecated.
Fix warning by prepending toURI(). to occurences of toURL().


git-svn-id: https://svn.codespot.com/a/apache-extras.org/beanshell/trunk@33 934af587-6f8e-29cc-0aa7-85b2284b99e2
You can’t perform that action at this time.