Hi Emmanuel, >>commons-beanutils (1.9.2-1) unstable; urgency=medium >> >> * New upstream release >> * Disabled the BeanMap test which relies on a class not packaged in Debian >> * Moved the package to Git >> >> -- Emmanuel Bourg <ebo...@apache.org> Fri, 30 May 2014 13:58:47 +0200
You mean, struts1 calls BeanUtils.populate and we should add check logic in commons-beanutils and 1.9.2 is fixed version, right? https://github.com/apache/struts1/blob/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/RequestUtils.java#L493 Then, question: commons-beanutils version in Debian is >> oldstable :1.8.3-1 >> stable :1.8.3-3 both seems to be still vulunerable version. Can you provide security- backport patch for them? If not, patch to struts1 is still usefull to prevent attack, so push fix to libstruts1.2-java stable/oldstable, right? -- Hideki Yamane <henr...@debian.or.jp> __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.