Bug#657870: Multiple issues in Struts
Hi Moritz, There was another report for a Struts security issue: CVE-2012-1592: http://seclists.org/bugtraq/2012/Mar/110 Can you please contact upstream, whether this needs to be fixed in our Struts 1.2? Struts 1.x is not affected by this issue (there is no XSLTResult file or similar mecanism). BTW, Red Hat also flaged their struts 1.x package as Not Vulnerable. Cheers, -- Damien -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657870: Multiple issues in Struts
There was another report for a Struts security issue: CVE-2012-1592: http://seclists.org/bugtraq/2012/Mar/110 Can you please contact upstream, whether this needs to be fixed in our Struts 1.2? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657870: Multiple issues in Struts
On Tue, Feb 21, 2012 at 12:53:47AM +0100, Damien Raude-Morvan wrote: Hi Moritz, Le jeudi 16 février 2012 19:42:09, Damien Raude-Morvan a écrit : On 09/02/2012 21:16, Moritz Mühlenhoff wrote: There's a new issues, which affects 1.x: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1007 From [1], it seems there is no actual fix for this issue :( I'll contact Struts Security Team on this matter. Okay, I got some feedback for Struts Security Team. This particular security issue doesn't affect Struts as binary library (ie. /usr/share/java/struts-1.2.jar is unaffected) but concern only samples provided as source is /usr/share/doc/libstruts1.2-java/example* Do you think we should provide an updated package for squeeze (I think we can just drop examples) ? It's just an example we don't need a DSA. You can fix it through a stable update for Squeeze, though. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657870: Multiple issues in Struts
Hi Moritz, Le jeudi 16 février 2012 19:42:09, Damien Raude-Morvan a écrit : On 09/02/2012 21:16, Moritz Mühlenhoff wrote: There's a new issues, which affects 1.x: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1007 From [1], it seems there is no actual fix for this issue :( I'll contact Struts Security Team on this matter. Okay, I got some feedback for Struts Security Team. This particular security issue doesn't affect Struts as binary library (ie. /usr/share/java/struts-1.2.jar is unaffected) but concern only samples provided as source is /usr/share/doc/libstruts1.2-java/example* Do you think we should provide an updated package for squeeze (I think we can just drop examples) ? Cheers, -- Damien signature.asc Description: This is a digitally signed message part.
Bug#657870: Multiple issues in Struts
Hi Moritz, On 09/02/2012 21:16, Moritz Mühlenhoff wrote: There's a new issues, which affects 1.x: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1007 From [1], it seems there is no actual fix for this issue :( I'll contact Struts Security Team on this matter. [1] http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt -- Damien - Debian Developper http://wiki.debian.org/DamienRaudeMorvan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657870: Multiple issues in Struts
On Wed, Feb 01, 2012 at 10:46:51PM -0800, tony mancill wrote: On 01/29/2012 06:05 AM, Moritz Muehlenhoff wrote: Package: libstruts1.2-java Severity: grave Tags: security Hi, several vulnerabilities have been reported against Struts: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057 The version is Debian seems ancient and unmaintained, can you please check, whether an update is needed? The CVEs listed all explicitly reference Struts 2, and so I believe would only be applicable if Debian included a libstruts-2.x package. OK, I've updated the Security Tracker. There are (3) rdepends of the libstrut1.2-java package. It might be possible to migrate them to the latest upstream Struts 1 release, which is 1.3.10. However, there haven't been any 1.x upstream releases in over 3 years. There's a new issues, which affects 1.x: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1007 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#657870: Multiple issues in Struts
On 01/29/2012 06:05 AM, Moritz Muehlenhoff wrote: Package: libstruts1.2-java Severity: grave Tags: security Hi, several vulnerabilities have been reported against Struts: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057 The version is Debian seems ancient and unmaintained, can you please check, whether an update is needed? The CVEs listed all explicitly reference Struts 2, and so I believe would only be applicable if Debian included a libstruts-2.x package. There are (3) rdepends of the libstrut1.2-java package. It might be possible to migrate them to the latest upstream Struts 1 release, which is 1.3.10. However, there haven't been any 1.x upstream releases in over 3 years. Cheers, tony signature.asc Description: OpenPGP digital signature
Bug#657870: Multiple issues in Struts
Package: libstruts1.2-java Severity: grave Tags: security Hi, several vulnerabilities have been reported against Struts: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057 The version is Debian seems ancient and unmaintained, can you please check, whether an update is needed? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org