Register | Log in

commons-beanutils

Apache Commons BeanUtils - Utility for manipulating Java beans

Choose email to subscribe with

general

source: commons-beanutils (main)
version: 1.10.1-1.1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Ludovic Claude [DMD] – Emmanuel Bourg [DMD]
arch: all
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.9.4-1
old-sec: 1.9.4-1+deb11u1
stable: 1.9.4-1
testing: 1.10.1-1
unstable: 1.10.1-1.1

versioned links

1.9.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.9.4-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.10.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.10.1-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libcommons-beanutils-java

action needed

A new upstream version is available: 1.11.0 high

A new upstream version 1.11.0 is available, you should consider packaging it.

Created: 2025-05-30 Last update: 2025-07-21 12:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-48734: Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

Created: 2025-05-28 Last update: 2025-07-20 16:30

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2025-48734: Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default. Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty(). Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests. This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils 1.x are recommended to upgrade to version 1.11.0, which fixes the issue. Users of the artifact org.apache.commons:commons-beanutils2 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.

Created: 2025-05-28 Last update: 2025-07-20 16:30

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2025-07-20 Last update: 2025-07-20 15:02

debian/patches: 1 patch to forward upstream low

Among the 2 debian patches available in version 1.10.1-1.1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-07-21 Last update: 2025-07-21 00:02

testing migrations

excuses:
- Migration status for commons-beanutils (1.10.1-1 to 1.10.1-1.1): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint)
- Issues preventing migration:
- ∙ ∙ blocked by freeze: is a key package (Follow the freeze policy when applying for an unblock)
- ∙ ∙ Too young, only 1 of 20 days old
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/c/commons-beanutils.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
- Not considered

news

[2025-07-20] Accepted commons-beanutils 1.10.1-1.1 (source) into unstable (Adrian Bunk)
[2025-06-25] Accepted commons-beanutils 1.9.4-1+deb11u1 (source all) into oldstable-security (Abhijith PA)
[2025-04-26] commons-beanutils 1.10.1-1 MIGRATED to testing (Debian testing watch)
[2025-04-16] Accepted commons-beanutils 1.10.1-1 (source) into unstable (Emmanuel Bourg)
[2024-01-08] commons-beanutils 1.9.4-2 MIGRATED to testing (Debian testing watch)
[2024-01-03] Accepted commons-beanutils 1.9.4-2 (source) into unstable (Emmanuel Bourg)
[2019-08-24] Accepted commons-beanutils 1.9.2-1+deb8u1 (source all) into oldoldstable (Chris Lamb)
[2019-08-22] commons-beanutils 1.9.4-1 MIGRATED to testing (Debian testing watch)
[2019-08-17] Accepted commons-beanutils 1.9.4-1 (source) into unstable (Emmanuel Bourg)
[2016-10-09] commons-beanutils 1.9.3-1 MIGRATED to testing (Debian testing watch)
[2016-10-03] Accepted commons-beanutils 1.9.3-1 (source all) into unstable (Emmanuel Bourg)
[2016-02-04] commons-beanutils 1.9.2-3 MIGRATED to testing (Debian testing watch)
[2016-01-29] Accepted commons-beanutils 1.9.2-3 (source all) into unstable (Emmanuel Bourg)
[2015-12-18] commons-beanutils 1.9.2-2 MIGRATED to testing (Debian testing watch)
[2015-12-12] Accepted commons-beanutils 1.9.2-2 (source all) into unstable (Emmanuel Bourg)
[2014-06-05] commons-beanutils 1.9.2-1 MIGRATED to testing (Debian testing watch)
[2014-05-30] Accepted commons-beanutils 1.9.2-1 (source all) (Emmanuel Bourg)
[2014-01-18] commons-beanutils 1.9.1-1 MIGRATED to testing (Debian testing watch)
[2014-01-12] Accepted commons-beanutils 1.9.1-1 (source all) (Emmanuel Bourg)
[2013-12-23] commons-beanutils 1.9.0-1 MIGRATED to testing (Debian testing watch)
[2013-12-17] Accepted commons-beanutils 1.9.0-1 (source all) (Emmanuel Bourg)
[2013-05-05] commons-beanutils 1.8.3-4 MIGRATED to testing (Debian testing watch)
[2013-04-12] Accepted commons-beanutils 1.8.3-4 (source all) (Emmanuel Bourg) (signed by: tony mancill)
[2012-04-19] commons-beanutils 1.8.3-3 MIGRATED to testing (Debian testing watch)
[2012-04-08] Accepted commons-beanutils 1.8.3-3 (source all) (Damien Raude-Morvan)
[2011-10-03] commons-beanutils 1.8.3-2 MIGRATED to testing (Debian testing watch)
[2011-09-22] Accepted commons-beanutils 1.8.3-2 (source all) (Torsten Werner)
[2010-04-16] commons-beanutils 1.8.3-1 MIGRATED to testing (Debian testing watch)
[2010-04-05] Accepted commons-beanutils 1.8.3-1 (source all) (Damien Raude-Morvan)
[2009-12-10] commons-beanutils 1.8.2-1 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.10.1-1.1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing