[Secure-testing-commits] r42624 - in data: . CVE
Thorsten Alteholz
alteholz at moszumanska.debian.org
Sat Jun 18 17:42:41 UTC 2016
Author: alteholz
Date: 2016-06-18 17:42:41 +0000 (Sat, 18 Jun 2016)
New Revision: 42624
Modified:
data/CVE/list
data/dla-needed.txt
Log:
taking care of libstruts1.2-java
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-06-18 13:33:59 UTC (rev 42623)
+++ data/CVE/list 2016-06-18 17:42:41 UTC (rev 42624)
@@ -13977,13 +13977,23 @@
CVE-2016-1182 [Improper input validation in Validator]
RESERVED
- libstruts1.2-java <removed>
+ [wheezy] - libstruts1.2-java <no-dsa> (basically fixed in CVE-2015-0899)
NOTE: https://jvn.jp/en/jp/JVN65044642/
- NOTE: Probably a duplicate of CVE-2015-0899
+ NOTE: Two conditions must be met to exploit this vulnerability
+ NOTE: condition one is already fixed in CVE-2015-0899, so everything is fine
+ NOTE: condition two can be fixed by the following patch:
+ NOTE: https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8
+ NOTE: but as this completely deactivates multipart requests, this should not be generally applied
CVE-2016-1181 [Vulnerability in ActionForm allows unintended remote operations against components on server memory]
RESERVED
- libstruts1.2-java <removed>
+ [wheezy] - libstruts1.2-java <no-dsa> (basically fixed in CVE-2015-0899)
NOTE: https://jvn.jp/en/jp/JVN03188560/
- NOTE: Probably a duplicate of CVE-2015-0899
+ NOTE: Two conditions must be met to exploit this vulnerability
+ NOTE: condition one is already fixed in CVE-2015-0899, so everything is fine
+ NOTE: condition two can be fixed by the following patch:
+ NOTE: https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8
+ NOTE: but as this completely deactivates multipart requests, this should not be generally applied
CVE-2016-1180 (Cross-site scripting (XSS) vulnerability in the Cyber-Will ...)
TODO: check
CVE-2016-1179
Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2016-06-18 13:33:59 UTC (rev 42623)
+++ data/dla-needed.txt 2016-06-18 17:42:41 UTC (rev 42624)
@@ -34,8 +34,6 @@
The JSON/JaF doesn't appear to be present in wheezy but the
content-disposition stuff might be.
--
-libstruts1.2-java (Thorsten Alteholz)
---
mat
--
mysql-connector-java
More information about the Secure-testing-commits
mailing list