There has been a recent advisory: http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000042.html https://jvn.jp/en/jp/JVN86448949/index.html However ... 1) We have been using a binary release to avoid the managing dependencies and other issues related to building with maven. 2) The Apache Software EOL'd struts 1, so they won't be releasing official updates. There is version 1.3.10 but it is not clear if it addresses any security issue. Given there is no port maintainer it may be advisable mark it restricted and deprecate the package.
Let's add a couple of security-minded committers to this PR and see if one of them agrees and possibly accomplishes it.
I looked at this previously and ran into a wall. I think I created a vuxml entry but updating the port was non-trivial.
Hi Mark, Pedro is suggesting to mark it restricted and deprecate. I was more thinking of this suggestion rather than resolving the vulnerability (or rather if the resolution isn't known)
Port is unmaintained, security vulnerability, over to ports-secteam
A commit references this bug: Author: feld Date: Sat Sep 10 16:40:01 UTC 2016 New revision: 421710 URL: https://svnweb.freebsd.org/changeset/ports/421710 Log: java/jakarta-struts: Mark deprecated PR: 208462 Changes: head/java/jakarta-struts/Makefile
Closing, we have resolved this by marking the port deprecated.