On Wed, Feb 01, 2012 at 10:46:51PM -0800, tony mancill wrote: > On 01/29/2012 06:05 AM, Moritz Muehlenhoff wrote: > > Package: libstruts1.2-java > > Severity: grave > > Tags: security > > > > Hi, > > several vulnerabilities have been reported against Struts: > > > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057 > > > > The version is Debian seems ancient and unmaintained, can you > > please check, whether an update is needed? > > The CVEs listed all explicitly reference Struts 2, and so I believe > would only be applicable if Debian included a libstruts-2.x package.
OK, I've updated the Security Tracker. > There are (3) rdepends of the libstrut1.2-java package. It might be > possible to migrate them to the latest upstream Struts 1 release, which > is 1.3.10. However, there haven't been any 1.x upstream releases in over > 3 years. There's a new issues, which affects 1.x: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1007 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
