Hi Stian, Thank you for the notice. Technically this isn't a vulnerability in bsh though, the issue is any application deserializing untrusted data without sanitizing it and having bsh on the classpath. I'm not aware of such applications in Debian, but if there is one it should be fixed in priority instead of playing whac-a-mole with the serialization code in the 800+ Java libraries in Debian.
Regarding your fork on GitHub, did you get the authorization from the original author (Patrick Niemeyer) to change the license from LGPL-2 to Apache-2.0? Also why was the Maven groupId changed from org.beanshell to org.apache-extras.beanshell? Emmanuel Bourg
