Bug#657870: Multiple issues in Struts
tony mancill
tmancill at debian.org
Thu Feb 2 06:46:51 UTC 2012
On 01/29/2012 06:05 AM, Moritz Muehlenhoff wrote:
> Package: libstruts1.2-java
> Severity: grave
> Tags: security
>
> Hi,
> several vulnerabilities have been reported against Struts:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057
>
> The version is Debian seems ancient and unmaintained, can you
> please check, whether an update is needed?
The CVEs listed all explicitly reference Struts 2, and so I believe
would only be applicable if Debian included a libstruts-2.x package.
There are (3) rdepends of the libstrut1.2-java package. It might be
possible to migrate them to the latest upstream Struts 1 release, which
is 1.3.10. However, there haven't been any 1.x upstream releases in over
3 years.
Cheers,
tony
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20120201/519ad0d5/attachment.pgp>
More information about the pkg-java-maintainers
mailing list