CVE-2012-1007 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1007): Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do. I cannot find a decent security reference for struts 1, but it is quite likely our in-tree version is affected by other vulnerabilities as well.
+ 02 Oct 2013; Tom Wijsman <TomWij@gentoo.org> + +files/struts-2.3.15.2-build.xml-apps-package.patch, + +files/struts-2.3.15.2-build.xml-classpath.patch, + +files/struts-2.3.15.2-build.xml-manifest.patch, + +files/struts-2.3.15.2-build.xml-remove-apps-portlet.patch, + +files/struts-2.3.15.2-build.xml-remove-core-and-plugins.patch, + +struts-2.3.15.2.ebuild: + Version bump to 2.3.15.2; for bug #152352, bug #237146, bug #405931 and bug + #486752. Looks like we are going to need some KEYWORDREQ and STABLEREQ bugs; since it is late and have worked half a day on is, I'll look into that tomorrow. If you want to file them before that, feel free to go ahead.
Long keyword list to get this set up...here goes. Arches, please test and keyword/mark stable: dev-java/commons-lang-3.1 dev-java/felix-gogo-runtime-0.10.0 dev-java/felix-shell-1.4.3 dev-java/felix-utils-1.2.0 dev-java/osgi-compendium-4.3.1 dev-java/osgi-foundation-1.2.0-r1 dev-java/ognl-3.0.8 dev-java/struts-2.3.15.2 dev-java/struts-core-2.3.15.2 dev-java/struts-plugins-2.3.15.2 dev-java/struts-xwork-2.3.15.2 Target arches: amd64 ppc x86 dev-java/glassfish-persistence-1.0-r1 dev-java/osgi-core-api-5.0.0 Target arch: ppc
What about bug 487280? I seem to be hit by it when trying to build struts-xwork.
(In reply to Myckel Habets from comment #3) > What about bug 487280? I seem to be hit by it when trying to build > struts-xwork. ercpe has committed some spring-* packages two days ago; so, the only blocker to that bug might be resolved. Today it is too late to look into this, tomorrow my day is fully planned; so, I plan to do this on Wednesday and hope the part of the spring-* packages suffice to resolve the dependencies. (Due to the way Maven works it satisfied the dependencies using a local repo in which Maven had fetched them; this happened because I forgot to remove them from the build.xml and expected it to rewrite them, which doesn't happen. I'll adapt my test script to clean out the Maven folder and check for the presence of such entries in the classpath of the build.xml to avoid this from ever happening again. The alternative is to use a test chroot; but it is tedious to emerge all the Java dependencies, though I could try to make a script to unmerge all packages that are not in the dependency tree of a package.) So, expect me to fix struts-* in less than 48 hours; unless it is more urgent, then maybe someone else of the herd might want to look into it tomorrow. Regardless, stabilization of the non-struts packages can already proceed.
CC back the arches when 487280 is resolved.
This package has been removed, along with all the struts related ebuilds. See bug 540888.
no GLSA for XSS