Bug 208462

Summary: java/jakarta-struts: Security vulnerability: input validation bypass (JVN#86448949/CVE-2015-0899)
Product: Ports & Packages Reporter: Pedro F. Giffuni <pfg>
Component: Individual Port(s)Assignee: Ports Security Team <ports-secteam>
Status: Closed FIXED    
Severity: Affects Only Me CC: feld, junovitch, ports-secteam
Priority: --- Keywords: needs-patch, security
Version: LatestFlags: koobs: merge-quarterly?
Hardware: Any   
OS: Any   

Description Pedro F. Giffuni freebsd_committer freebsd_triage 2016-04-02 02:48:53 UTC
There has been a recent advisory:

http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000042.html
https://jvn.jp/en/jp/JVN86448949/index.html

However ...

1) We have been using a binary release to avoid the managing dependencies and
other issues related to building with maven.
2) The Apache Software EOL'd struts 1, so they won't be releasing official updates. There is version 1.3.10 but it is not clear if it addresses any security issue.

Given there is no port maintainer it may be advisable mark it restricted and deprecate the package.
Comment 1 John Marino freebsd_committer freebsd_triage 2016-08-19 04:47:25 UTC
Let's add a couple of security-minded committers to this PR and see if one of them agrees and possibly accomplishes it.
Comment 2 Mark Felder freebsd_committer freebsd_triage 2016-08-19 15:45:12 UTC
I looked at this previously and ran into a wall. I think I created a vuxml entry but updating the port was non-trivial.
Comment 3 John Marino freebsd_committer freebsd_triage 2016-08-19 21:31:00 UTC
Hi Mark, 
Pedro is suggesting to mark it restricted and deprecate.  I was more thinking of this suggestion rather than resolving the vulnerability (or rather if the resolution isn't known)
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2016-08-20 14:32:10 UTC
Port is unmaintained, security vulnerability, over to ports-secteam
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-09-10 16:40:11 UTC
A commit references this bug:

Author: feld
Date: Sat Sep 10 16:40:01 UTC 2016
New revision: 421710
URL: https://svnweb.freebsd.org/changeset/ports/421710

Log:
  java/jakarta-struts: Mark deprecated

  PR:		208462

Changes:
  head/java/jakarta-struts/Makefile
Comment 6 Mark Felder freebsd_committer freebsd_triage 2016-09-10 16:41:46 UTC
Closing, we have resolved this by marking the port deprecated.