On 01/29/2012 06:05 AM, Moritz Muehlenhoff wrote: > Package: libstruts1.2-java > Severity: grave > Tags: security > > Hi, > several vulnerabilities have been reported against Struts: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057 > > The version is Debian seems ancient and unmaintained, can you > please check, whether an update is needed?
The CVEs listed all explicitly reference Struts 2, and so I believe would only be applicable if Debian included a libstruts-2.x package. There are (3) rdepends of the libstrut1.2-java package. It might be possible to migrate them to the latest upstream Struts 1 release, which is 1.3.10. However, there haven't been any 1.x upstream releases in over 3 years. Cheers, tony
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
