Debian-LTS has issued an advisory on August 17: http://lwn.net/Alerts/654840/ Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO, MGA4TOO
Debian-LTS used the wrong year for the CVE, which made finding info a bit more difficult. There's more info here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0899 https://support.f5.com/kb/en-us/solutions/public/16000/400/sol16444.html Fedora has an update on QA right now: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14237 Which has the fix in these two commits: http://pkgs.fedoraproject.org/cgit/struts.git/commit/?h=f22&id=0475cbc2f199d2a120ef36096b978eb1b180014b http://pkgs.fedoraproject.org/cgit/struts.git/commit/?h=f22&id=ea0cd426b5149df9c10eb2ba33968039f6c6cecd
Summary: struts new security issue CVE-2014-0899 => struts new security issue CVE-2015-0899Severity: normal => major
So CVE-2015-0899 is now fixed for Cauldron, mga5 and mga4. packages are now submitted and uploaded on repos.
Thanks David! Advisory: ======================== Updated struts packages fix security vulnerability: The Validator in Apache Struts 1.1 and later contains a function to efficiently define rules for input validation across multiple pages during screen transitions. This function contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validator is used, the web application may be vulnerable even when this function is not used explicitly (CVE-2015-0899). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0899 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0899 ======================== Updated packages in core/updates_testing: ======================== struts-1.3.10-4.2.mga4 struts-javadoc-1.3.10-4.2.mga4 struts-1.3.10-8.1.mga5 struts-javadoc-1.3.10-8.1.mga5 from SRPMS: struts-1.3.10-4.2.mga4.src.rpm struts-1.3.10-8.1.mga5.src.rpm
Version: Cauldron => 5Assignee: dmorganec => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Fedora has issued an advisory for this today (September 4): https://lists.fedoraproject.org/pipermail/package-announce/2015-September/165517.html Advisory: ======================== Updated struts packages fix security vulnerability: The Validator in Apache Struts 1.1 and later contains a function to efficiently define rules for input validation across multiple pages during screen transitions. This function contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validator is used, the web application may be vulnerable even when this function is not used explicitly (CVE-2015-0899). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0899 https://lists.fedoraproject.org/pipermail/package-announce/2015-September/165517.html
Change the URL to the LWN entry with the correct CVE. The old one was: http://lwn.net/Vulnerabilities/654885/
URL: http://lwn.net/Vulnerabilities/654885/ => http://lwn.net/Vulnerabilities/656658/
(In reply to David Walser from comment #5) > Change the URL to the LWN entry with the correct CVE. The old one was: > http://lwn.net/Vulnerabilities/654885/ I mean that I changed it, I wasn't asking anyone to do anything here :o)
What's the testing procedure? Can I just do "urpmi struts" without "Updates Testing" enabled and then do it again with Testing enabled and see that everything is fine?
CC: (none) => shlomif
Don't forget you can easily search for previous updates using the quick search links on the madb page. Struts was previously updated in bug 13342. As with most java modules we just ensured it could update cleanly without any errors, as you suggest.
(In reply to claire robinson from comment #8) > Don't forget you can easily search for previous updates using the quick > search links on the madb page. > > Struts was previously updated in bug 13342. As with most java modules we > just ensured it could update cleanly without any errors, as you suggest. Fair enough I'm going to test MGA{5,4}-{32,64}. Now.
Marking as MGA5-64-OK .
Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK
Mrking as MGA4-32-OK .
Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK MGA4-32-OK
Marking as MGA5-32-OK .
Whiteboard: MGA4TOO MGA5-64-OK MGA4-32-OK => MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK
Marking as MGA4-64-OK and validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK => MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK => MGA4TOO has_procedure advisory MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0351.html
Status: NEW => RESOLVEDResolution: (none) => FIXED