Hi Emmanuel,

>>commons-beanutils (1.9.2-1) unstable; urgency=medium
>>
>>  * New upstream release
>>  * Disabled the BeanMap test which relies on a class not packaged in Debian
>>  * Moved the package to Git
>>
>> -- Emmanuel Bourg <ebo...@apache.org>  Fri, 30 May 2014 13:58:47 +0200

 You mean, struts1 calls BeanUtils.populate and we should add check logic
 in commons-beanutils and 1.9.2 is fixed version, right?

 
https://github.com/apache/struts1/blob/STRUTS_1_2_BRANCH/src/share/org/apache/struts/util/RequestUtils.java#L493


 Then, question: commons-beanutils version in Debian is
>>  oldstable   :1.8.3-1 
>>   stable             :1.8.3-3 

 both seems to be still vulunerable version. Can you provide security-
 backport patch for them? If not, patch to struts1 is still usefull to 
 prevent attack, so push fix to libstruts1.2-java stable/oldstable, right?

-- 
Hideki Yamane <henr...@debian.or.jp>

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to