Bug#745897: closed by Hideki Yamane (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi all, 2014-06-16 20:27 GMT+09:00 Emmanuel Bourg : >I got confirmation from the Struts developers that a new release using >commons-beanutils 1.9.2 is planned soon. So I'm going to prepare the >backport of commons-beanutils 1.9.2 in stable and wait for the new >release of Struts 1.x. Security fi

Processed (with 5 errors): Re: Bug#745897: closed by Hideki Yamane (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Processing commands for cont...@bugs.debian.org: > unarchive 745897 Bug #745897 {Done: Hideki Yamane } [libstruts1.2-java] libstruts1.2-java: CVE-2014-0114 Unarchived Bug 745897 > 2014-06-16 20:27 GMT+09:00 Emmanuel Bourg : Unknown command or malformed arguments to command. > > Le 15/06/2014 06:4

Bug#745897: fixed in libstruts1.2-java 1.2.9-9

2014-06-15 15:35 GMT+09:00 Hideki Yamane : >> This pattern will match to words other than "class", eg. "fooClass". > Any class should be accepted, maybe it'd cause some > trouble but non-class should not named as *class, IMHO. That might be the case. This issue might be a very small problem. Act

Bug#745897: closed by Hideki Yamane (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Le 15/06/2014 06:43, Hideki Yamane a écrit : > Then, question: commons-beanutils version in Debian is > both seems to be still vulunerable version. Can you provide security- > backport patch for them? If not, patch to struts1 is still usefull to > prevent attack, so push fix to libstruts1.2-j

Bug#745897: fixed in libstruts1.2-java 1.2.9-9

Hi, On Sun, 1 Jun 2014 15:03:20 +0900 Nobuhiro Ban wrote: > >+protected static final Pattern CLASS_ACCESS_PATTERN = Pattern > >+.compile("(.*\\.|^|.*|\\[('|\"))class(\\.|('|\")]|\\[).*", > >+Pattern.CASE_INSENSITIVE); > > It's very strange regexp. Because we k

Bug#745897: closed by Hideki Yamane (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi Emmanuel, >>commons-beanutils (1.9.2-1) unstable; urgency=medium >> >> * New upstream release >> * Disabled the BeanMap test which relies on a class not packaged in Debian >> * Moved the package to Git >> >> -- Emmanuel Bourg Fri, 30 May 2014 13:58:47 +0200 You mean, struts1 calls BeanUt

Bug#745897: closed by Hideki Yamane (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi, FYI I just uploaded Commons BeanUtils 1.9.2 which includes a new BeanIntrospector designed to fix this issue. I believe a new version of Struts using it is expected. Emmanuel Bourg __ This is the maintainer address of Debian's Java team

Bug#745897: closed by Hideki Yamane (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi, > Thanks for your comment, do you have any fix for it? Security vendors (LAC Co.Ltd and Mitsui Bussan Secure Directions, Inc.) suggest /(^|\W)[cC]lass\W/, so I'm personally using naive implementation of this pattern: Pattern.compile(".*(^|\\W)[cC]lass\\W.*") . But I'm not IT-security proofes

Bug#745897: closed by Hideki Yamane (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi, On Sun, 1 Jun 2014 15:03:20 +0900 Nobuhiro Ban wrote: > It's very strange regexp. Because we know (P1|.*|P2) == .* . > This pattern will match to words other than "class", eg. "fooClass". > > I think this patch will cause a regression. Thanks for your comment, do you have any fix for it?

Bug#745897: closed by Hideki Yamane (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi, >- add struts-1.2.9-CVE-2014-0114.patch from Red Hat to fix CVE-2014-0114 http://sources.debian.net/src/libstruts1.2-java/1.2.9-9/debian/patches/struts-1.2.9-CVE-2014-0114.patch >+protected static final Pattern CLASS_ACCESS_PATTERN = Pattern >+.compile("(.*\\.|^|.*|\\[('|\