Bug 208462 - java/jakarta-struts: Security vulnerability: input validation bypass (JVN#86448949/CVE-2015-0899)
Summary: java/jakarta-struts: Security vulnerability: input validation bypass (JVN#864...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ports Security Team
URL:
Keywords: needs-patch, security
Depends on:
Blocks:
 
Reported: 2016-04-02 02:48 UTC by Pedro F. Giffuni
Modified: 2016-09-10 16:41 UTC (History)
3 users (show)

See Also:
koobs: merge-quarterly?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pedro F. Giffuni freebsd_committer freebsd_triage 2016-04-02 02:48:53 UTC
There has been a recent advisory:

http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000042.html
https://jvn.jp/en/jp/JVN86448949/index.html

However ...

1) We have been using a binary release to avoid the managing dependencies and
other issues related to building with maven.
2) The Apache Software EOL'd struts 1, so they won't be releasing official updates. There is version 1.3.10 but it is not clear if it addresses any security issue.

Given there is no port maintainer it may be advisable mark it restricted and deprecate the package.
Comment 1 John Marino freebsd_committer freebsd_triage 2016-08-19 04:47:25 UTC
Let's add a couple of security-minded committers to this PR and see if one of them agrees and possibly accomplishes it.
Comment 2 Mark Felder freebsd_committer freebsd_triage 2016-08-19 15:45:12 UTC
I looked at this previously and ran into a wall. I think I created a vuxml entry but updating the port was non-trivial.
Comment 3 John Marino freebsd_committer freebsd_triage 2016-08-19 21:31:00 UTC
Hi Mark, 
Pedro is suggesting to mark it restricted and deprecate.  I was more thinking of this suggestion rather than resolving the vulnerability (or rather if the resolution isn't known)
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2016-08-20 14:32:10 UTC
Port is unmaintained, security vulnerability, over to ports-secteam
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-09-10 16:40:11 UTC
A commit references this bug:

Author: feld
Date: Sat Sep 10 16:40:01 UTC 2016
New revision: 421710
URL: https://svnweb.freebsd.org/changeset/ports/421710

Log:
  java/jakarta-struts: Mark deprecated

  PR:		208462

Changes:
  head/java/jakarta-struts/Makefile
Comment 6 Mark Felder freebsd_committer freebsd_triage 2016-09-10 16:41:46 UTC
Closing, we have resolved this by marking the port deprecated.