Bug#657870: Multiple issues in Struts
Moritz Mühlenhoff
jmm at inutil.org
Thu Feb 9 20:16:59 UTC 2012
On Wed, Feb 01, 2012 at 10:46:51PM -0800, tony mancill wrote:
> On 01/29/2012 06:05 AM, Moritz Muehlenhoff wrote:
> > Package: libstruts1.2-java
> > Severity: grave
> > Tags: security
> >
> > Hi,
> > several vulnerabilities have been reported against Struts:
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057
> >
> > The version is Debian seems ancient and unmaintained, can you
> > please check, whether an update is needed?
>
> The CVEs listed all explicitly reference Struts 2, and so I believe
> would only be applicable if Debian included a libstruts-2.x package.
OK, I've updated the Security Tracker.
> There are (3) rdepends of the libstrut1.2-java package. It might be
> possible to migrate them to the latest upstream Struts 1 release, which
> is 1.3.10. However, there haven't been any 1.x upstream releases in over
> 3 years.
There's a new issues, which affects 1.x:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1007
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list