Bug#745897: closed by Hideki Yamane <henrich at debian.org> (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)
Hideki Yamane
henrich at debian.or.jp
Sun Jun 15 04:43:02 UTC 2014
Hi Emmanuel,
>>commons-beanutils (1.9.2-1) unstable; urgency=medium
>>
>> * New upstream release
>> * Disabled the BeanMap test which relies on a class not packaged in Debian
>> * Moved the package to Git
>>
>> -- Emmanuel Bourg <ebourg at apache.org> Fri, 30 May 2014 13:58:47 +0200
You mean, struts1 calls BeanUtils.populate and we should add check logic
in commons-beanutils and 1.9.2 is fixed version, right?
https://github.com/apache/struts1/blob/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/RequestUtils.java#L493
Then, question: commons-beanutils version in Debian is
>> oldstable :1.8.3-1
>> stable :1.8.3-3
both seems to be still vulunerable version. Can you provide security-
backport patch for them? If not, patch to struts1 is still usefull to
prevent attack, so push fix to libstruts1.2-java stable/oldstable, right?
--
Hideki Yamane <henrich at debian.or.jp>
More information about the pkg-java-maintainers
mailing list