Bug#657870: marked as done (Multiple issues in Struts)

Thu, 07 Jun 2012 12:51:30 -0700 

Your message dated Thu, 7 Jun 2012 21:48:34 +0200
with message-id <643e801dea7974933b7d68da7b16317d.squir...@wm.kinkhorst.nl>
and subject line Re: Bug#657870: some more struts issues
has caused the Debian Bug report #657870,
regarding Multiple issues in Struts
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
657870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657870
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: libstruts1.2-java
Severity: grave
Tags: security

Hi,
several vulnerabilities have been reported against Struts:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5057

The version is Debian seems ancient and unmaintained, can you
please check, whether an update is needed?

Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
On Thu, June 7, 2012 07:21, tony mancill wrote:
> On 06/02/2012 09:53 AM, Thijs Kinkhorst wrote:
>> Hi,
>>
>> I'm sorry, but we've got yet another set of struts vulnerabilities:
>>
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2087
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2088
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0838
>>
>> It would be really helpful if you could check how these affect Debian
>> aswell.
>
> I reviewed these CVEs and they are associated with Struts 2.x.  Debian
> currently only contains Struts 1.2, and so I don't believe these are
> applicable.  (However, I have not attempted to replicate the
> vulnerabilities against sites based on the Debian libstruts1.2-java
> package.)

Thanks, closing this bug then.


Thijs

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to