Your message dated Mon, 24 Apr 2006 05:47:09 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#360551: fixed in libstruts1.2-java 1.2.9-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libstruts1.2-java
Severity: grave
Tags: security
Justification: user security hole
Struts 1.2.9 fixes three security problems:
======================================================
Name: CVE-2006-1546
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1546
Reference: MLIST:[struts-user] 20060121 Validation Security Hole?
Reference:
+URL:http://mail-archives.apache.org/mod_mbox/struts-user/200601.mbox/[EMAIL
PROTECTED]
Reference: MLIST:[struts-devel] 20060122 Re: Validation Security Hole?
Reference:
URL:http://mail-archives.apache.org/mod_mbox/struts-dev/200601.mbox/[EMAIL
PROTECTED]
Reference:
CONFIRM:http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html
Reference: CONFIRM:http://issues.apache.org/bugzilla/show_bug.cgi?id=38374
Apache Software Foundation (ASF) Struts before 1.2.9 allows remote
attackers to bypass validation via a request with a
'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which
causes the action to be canceled but would not be detected from
applications that do not use the isCancelled check.
======================================================
Name: CVE-2006-1547
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1547
Reference:
CONFIRM:http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html
Reference: CONFIRM:http://issues.apache.org/bugzilla/show_bug.cgi?id=38534
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9
with BeanUtils 1.7 allows remote attackers to cause a denial of
service via a multipart/form-data encoded form with a parameter name
that references the public getMultipartRequestHandler method, which
provides further access to elements in the
CommonsMultipartRequestHandler implementation and BeanUtils.
======================================================
Name: CVE-2006-1548
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1548
Reference:
CONFIRM:http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html
Reference: CONFIRM:http://issues.apache.org/bugzilla/show_bug.cgi?id=38749
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction
and possibly (2) DispatchAction and (3) ActionDispatcher in Apache
Software Foundation (ASF) Struts before 1.2.9 allows remote attackers
to inject arbitrary web script or HTML via the parameter name, which
is not filtered in the resulting error message.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-1-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
--- End Message ---
--- Begin Message ---
Source: libstruts1.2-java
Source-Version: 1.2.9-1
We believe that the bug you reported is fixed in the latest version of
libstruts1.2-java, which is due to be installed in the Debian FTP archive:
libstruts1.2-java_1.2.9-1.diff.gz
to pool/main/libs/libstruts1.2-java/libstruts1.2-java_1.2.9-1.diff.gz
libstruts1.2-java_1.2.9-1.dsc
to pool/main/libs/libstruts1.2-java/libstruts1.2-java_1.2.9-1.dsc
libstruts1.2-java_1.2.9-1_all.deb
to pool/main/libs/libstruts1.2-java/libstruts1.2-java_1.2.9-1_all.deb
libstruts1.2-java_1.2.9.orig.tar.gz
to pool/main/libs/libstruts1.2-java/libstruts1.2-java_1.2.9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arnaud Vandyck <[EMAIL PROTECTED]> (supplier of updated libstruts1.2-java
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 24 Apr 2006 12:14:23 +0200
Source: libstruts1.2-java
Binary: libstruts1.2-java
Architecture: source all
Version: 1.2.9-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Arnaud Vandyck <[EMAIL PROTECTED]>
Description:
libstruts1.2-java - Java Framework for MVC web applications
Closes: 360551
Changes:
libstruts1.2-java (1.2.9-1) unstable; urgency=low
.
* New upstream release Fixes three security problems: CVE-2006-1546,
CVE-2006-1547, CVE-2006-1548 (closes: #360551), thanks to Moritz
Muehlenhoff.
Files:
19f879dbb84aacbc2603d985ddf1301e 1065 devel optional
libstruts1.2-java_1.2.9-1.dsc
b4dc28805a07f1bd3250c55b610de070 5709604 devel optional
libstruts1.2-java_1.2.9.orig.tar.gz
57bafe5822ee5ddcae2bbcfe1c4043aa 20 devel optional
libstruts1.2-java_1.2.9-1.diff.gz
b44681448c6fb83c3f971d11b68ab8e1 669858 devel optional
libstruts1.2-java_1.2.9-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFETMWM4vzFZu62tMIRAngrAKCjuXvOEtHJeFbkckJ1CcXHK52UgACgvqzK
pashAkgkObhAFZQgh3ip43A=
=1hJm
-----END PGP SIGNATURE-----
--- End Message ---
