On 01/29/2012 06:05 AM, Moritz Muehlenhoff wrote:
> Package: libstruts1.2-java
> Severity: grave
> Tags: security
> 
> Hi,
> several vulnerabilities have been reported against Struts:
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057
> 
> The version is Debian seems ancient and unmaintained, can you
> please check, whether an update is needed?

The CVEs listed all explicitly reference Struts 2, and so I believe
would only be applicable if Debian included a libstruts-2.x package.

There are (3) rdepends of the libstrut1.2-java package.  It might be
possible to migrate them to the latest upstream Struts 1 release, which
is 1.3.10. However, there haven't been any 1.x upstream releases in over
3 years.

Cheers,
tony

Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to