Processed (with 5 errors): Re: Bug#745897: closed by Hideki Yamane henr...@debian.org (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Processing commands for cont...@bugs.debian.org: unarchive 745897 Bug #745897 {Done: Hideki Yamane henr...@debian.org} [libstruts1.2-java] libstruts1.2-java: CVE-2014-0114 Unarchived Bug 745897 2014-06-16 20:27 GMT+09:00 Emmanuel Bourg ebo...@apache.org: Unknown command or malformed arguments

Bug#745897: closed by Hideki Yamane henr...@debian.org (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi all, 2014-06-16 20:27 GMT+09:00 Emmanuel Bourg ebo...@apache.org: I got confirmation from the Struts developers that a new release using commons-beanutils 1.9.2 is planned soon. So I'm going to prepare the backport of commons-beanutils 1.9.2 in stable and wait for the new release of Struts

Bug#745897: fixed in libstruts1.2-java 1.2.9-9

2014-06-15 15:35 GMT+09:00 Hideki Yamane henr...@debian.or.jp: This pattern will match to words other than class, eg. fooClass. Any class should be accepted, maybe it'd cause some trouble but non-class should not named as *class, IMHO. That might be the case. This issue might be a very small

Bug#745897: closed by Hideki Yamane henr...@debian.org (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Le 15/06/2014 06:43, Hideki Yamane a écrit : Then, question: commons-beanutils version in Debian is both seems to be still vulunerable version. Can you provide security- backport patch for them? If not, patch to struts1 is still usefull to prevent attack, so push fix to libstruts1.2-java

Bug#745897: fixed in libstruts1.2-java 1.2.9-9

Hi, On Sun, 1 Jun 2014 15:03:20 +0900 Nobuhiro Ban ban.nobuh...@gmail.com wrote: +protected static final Pattern CLASS_ACCESS_PATTERN = Pattern +.compile((.*\\.|^|.*|\\[('|\))class(\\.|('|\)]|\\[).*, +Pattern.CASE_INSENSITIVE); It's very strange regexp.

Bug#745897: closed by Hideki Yamane henr...@debian.org (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi Emmanuel, commons-beanutils (1.9.2-1) unstable; urgency=medium * New upstream release * Disabled the BeanMap test which relies on a class not packaged in Debian * Moved the package to Git -- Emmanuel Bourg ebo...@apache.org Fri, 30 May 2014 13:58:47 +0200 You mean, struts1 calls

Bug#745897: closed by Hideki Yamane henr...@debian.org (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi, - add struts-1.2.9-CVE-2014-0114.patch from Red Hat to fix CVE-2014-0114 http://sources.debian.net/src/libstruts1.2-java/1.2.9-9/debian/patches/struts-1.2.9-CVE-2014-0114.patch +protected static final Pattern CLASS_ACCESS_PATTERN = Pattern +

Bug#745897: closed by Hideki Yamane henr...@debian.org (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi, On Sun, 1 Jun 2014 15:03:20 +0900 Nobuhiro Ban ban.nobuh...@gmail.com wrote: It's very strange regexp. Because we know (P1|.*|P2) == .* . This pattern will match to words other than class, eg. fooClass. I think this patch will cause a regression. Thanks for your comment, do you have

Bug#745897: closed by Hideki Yamane henr...@debian.org (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi, Thanks for your comment, do you have any fix for it? Security vendors (LAC Co.Ltd and Mitsui Bussan Secure Directions, Inc.) suggest /(^|\W)[cC]lass\W/, so I'm personally using naive implementation of this pattern: Pattern.compile(.*(^|\\W)[cC]lass\\W.*) . But I'm not IT-security

Bug#745897: closed by Hideki Yamane henr...@debian.org (Bug#745897: fixed in libstruts1.2-java 1.2.9-9)

Hi, FYI I just uploaded Commons BeanUtils 1.9.2 which includes a new BeanIntrospector designed to fix this issue. I believe a new version of Struts using it is expected. Emmanuel Bourg __ This is the maintainer address of Debian's Java team