Hi Emmanuel,

>>commons-beanutils (1.9.2-1) unstable; urgency=medium
>>  * New upstream release
>>  * Disabled the BeanMap test which relies on a class not packaged in Debian
>>  * Moved the package to Git
>> -- Emmanuel Bourg <ebo...@apache.org>  Fri, 30 May 2014 13:58:47 +0200

 You mean, struts1 calls BeanUtils.populate and we should add check logic
 in commons-beanutils and 1.9.2 is fixed version, right?


 Then, question: commons-beanutils version in Debian is
>>  oldstable   :1.8.3-1 
>>   stable             :1.8.3-3 

 both seems to be still vulunerable version. Can you provide security-
 backport patch for them? If not, patch to struts1 is still usefull to 
 prevent attack, so push fix to libstruts1.2-java stable/oldstable, right?

Hideki Yamane <henr...@debian.or.jp>

This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to