Processing commands for cont...@bugs.debian.org:
unarchive 745897
Bug #745897 {Done: Hideki Yamane henr...@debian.org} [libstruts1.2-java]
libstruts1.2-java: CVE-2014-0114
Unarchived Bug 745897
2014-06-16 20:27 GMT+09:00 Emmanuel Bourg ebo...@apache.org:
Unknown command or malformed arguments
Hi all,
2014-06-16 20:27 GMT+09:00 Emmanuel Bourg ebo...@apache.org:
I got confirmation from the Struts developers that a new release using
commons-beanutils 1.9.2 is planned soon. So I'm going to prepare the
backport of commons-beanutils 1.9.2 in stable and wait for the new
release of Struts
2014-06-15 15:35 GMT+09:00 Hideki Yamane henr...@debian.or.jp:
This pattern will match to words other than class, eg. fooClass.
Any class should be accepted, maybe it'd cause some
trouble but non-class should not named as *class, IMHO.
That might be the case. This issue might be a very small
Le 15/06/2014 06:43, Hideki Yamane a écrit :
Then, question: commons-beanutils version in Debian is
both seems to be still vulunerable version. Can you provide security-
backport patch for them? If not, patch to struts1 is still usefull to
prevent attack, so push fix to libstruts1.2-java
Hi,
On Sun, 1 Jun 2014 15:03:20 +0900
Nobuhiro Ban ban.nobuh...@gmail.com wrote:
+protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
+.compile((.*\\.|^|.*|\\[('|\))class(\\.|('|\)]|\\[).*,
+Pattern.CASE_INSENSITIVE);
It's very strange regexp.
Hi Emmanuel,
commons-beanutils (1.9.2-1) unstable; urgency=medium
* New upstream release
* Disabled the BeanMap test which relies on a class not packaged in Debian
* Moved the package to Git
-- Emmanuel Bourg ebo...@apache.org Fri, 30 May 2014 13:58:47 +0200
You mean, struts1 calls
Hi,
- add struts-1.2.9-CVE-2014-0114.patch from Red Hat to fix CVE-2014-0114
http://sources.debian.net/src/libstruts1.2-java/1.2.9-9/debian/patches/struts-1.2.9-CVE-2014-0114.patch
+protected static final Pattern CLASS_ACCESS_PATTERN = Pattern
+
Hi,
On Sun, 1 Jun 2014 15:03:20 +0900
Nobuhiro Ban ban.nobuh...@gmail.com wrote:
It's very strange regexp. Because we know (P1|.*|P2) == .* .
This pattern will match to words other than class, eg. fooClass.
I think this patch will cause a regression.
Thanks for your comment, do you have
Hi,
Thanks for your comment, do you have any fix for it?
Security vendors (LAC Co.Ltd and Mitsui Bussan Secure Directions, Inc.)
suggest /(^|\W)[cC]lass\W/, so I'm personally using naive implementation
of this pattern: Pattern.compile(.*(^|\\W)[cC]lass\\W.*) .
But I'm not IT-security
Hi,
FYI I just uploaded Commons BeanUtils 1.9.2 which includes a new
BeanIntrospector designed to fix this issue. I believe a new version of
Struts using it is expected.
Emmanuel Bourg
__
This is the maintainer address of Debian's Java team
10 matches
Mail list logo