Security update for bsh2 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:0700-1 Final 1 1 2016-03-09T08:03:33Z current 2016-03-09T08:03:33Z 2016-03-09T08:03:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for bsh2 This update for bsh2 fixes the following issues: - CVE-2016-2510: An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to deserialize data from an untrusted source. Please see https://github.com/beanshell/beanshell/releases/tag/2.0b6 for more information. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SDK-12-2016-399,SUSE-SLE-SDK-12-SP1-2016-399 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20160700-1/ Link for SUSE-SU-2016:0700-1 https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00020.html E-Mail link for SUSE-SU-2016:0700-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/967593 SUSE Bug 967593 https://www.suse.com/security/cve/CVE-2016-2510/ SUSE CVE CVE-2016-2510 page SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Software Development Kit 12 SP1 bsh2-2.0.0.b5-3.2 bsh2-classgen-2.0.0.b5-3.2 bsh2-javadoc-2.0.0.b5-3.2 bsh2-2.0.0.b5-3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 bsh2-classgen-2.0.0.b5-3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 bsh2-javadoc-2.0.0.b5-3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 bsh2-2.0.0.b5-3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 bsh2-classgen-2.0.0.b5-3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 bsh2-javadoc-2.0.0.b5-3.2 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler. CVE-2016-2510 SUSE Linux Enterprise Software Development Kit 12 SP1:bsh2-2.0.0.b5-3.2 SUSE Linux Enterprise Software Development Kit 12 SP1:bsh2-classgen-2.0.0.b5-3.2 SUSE Linux Enterprise Software Development Kit 12 SP1:bsh2-javadoc-2.0.0.b5-3.2 SUSE Linux Enterprise Software Development Kit 12:bsh2-2.0.0.b5-3.2 SUSE Linux Enterprise Software Development Kit 12:bsh2-classgen-2.0.0.b5-3.2 SUSE Linux Enterprise Software Development Kit 12:bsh2-javadoc-2.0.0.b5-3.2 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160700-1/ https://www.suse.com/security/cve/CVE-2016-2510.html CVE-2016-2510 https://bugzilla.suse.com/967593 SUSE Bug 967593