[Secure-testing-commits] r42624 - in data: . CVE

Sat, 18 Jun 2016 10:43:05 -0700 

Author: alteholz
Date: 2016-06-18 17:42:41 +0000 (Sat, 18 Jun 2016)
New Revision: 42624

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
taking care of libstruts1.2-java

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2016-06-18 13:33:59 UTC (rev 42623)
+++ data/CVE/list       2016-06-18 17:42:41 UTC (rev 42624)
@@ -13977,13 +13977,23 @@
 CVE-2016-1182 [Improper input validation in Validator]
        RESERVED
        - libstruts1.2-java <removed>
+       [wheezy] - libstruts1.2-java <no-dsa> (basically fixed in CVE-2015-0899)
        NOTE: https://jvn.jp/en/jp/JVN65044642/
-       NOTE: Probably a duplicate of CVE-2015-0899
+       NOTE: Two conditions must be met to exploit this vulnerability
+       NOTE: condition one is already fixed in CVE-2015-0899, so everything is 
fine
+       NOTE: condition two can be fixed by the following patch:
+       NOTE:  
https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8
+       NOTE: but as this completely deactivates multipart requests, this 
should not be generally applied
 CVE-2016-1181 [Vulnerability in ActionForm allows unintended remote operations 
against components on server memory]
        RESERVED
        - libstruts1.2-java <removed>
+       [wheezy] - libstruts1.2-java <no-dsa> (basically fixed in CVE-2015-0899)
        NOTE: https://jvn.jp/en/jp/JVN03188560/
-       NOTE: Probably a duplicate of CVE-2015-0899
+       NOTE: Two conditions must be met to exploit this vulnerability
+       NOTE: condition one is already fixed in CVE-2015-0899, so everything is 
fine
+       NOTE: condition two can be fixed by the following patch:
+       NOTE:  
https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8
+       NOTE: but as this completely deactivates multipart requests, this 
should not be generally applied
 CVE-2016-1180 (Cross-site scripting (XSS) vulnerability in the Cyber-Will ...)
        TODO: check
 CVE-2016-1179

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2016-06-18 13:33:59 UTC (rev 42623)
+++ data/dla-needed.txt 2016-06-18 17:42:41 UTC (rev 42624)
@@ -34,8 +34,6 @@
   The JSON/JaF doesn't appear to be present in wheezy but the
   content-disposition stuff might be.
 --
-libstruts1.2-java (Thorsten Alteholz)
---
 mat
 --
 mysql-connector-java


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to