Yes, that looks like it should be sufficient to fix the exploit both for java.util deserialization and xmlbeans deserialization.
On 26 February 2016 at 13:51, Markus Koschany <[email protected]> wrote: > Am 19.02.2016 um 13:10 schrieb Stian Soiland-Reyes: >> Hi, >> >> BeanShell aka bsh has released a security fix 2.0b6: >> >> https://github.com/beanshell/beanshell/releases/tag/2.0b6 >> >> It has been reported to MITRE as CVE-2016-2510. > > Hi Stian, > > I intend to backport your changes to fix CVE-2016-2510. Looking at the > relevant commits, I could condense the changes to create the attached > patch. Could you take a look at it and confirm that this is sufficient? > > Regards, > > Markus > -- Stian Soiland-Reyes Apache Taverna (incubating), Apache Commons RDF (incubating) http://orcid.org/0000-0001-9842-9718
