Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 267081 (CVE-2008-2025) - <dev-java/struts-1.2.9-r3 taglib XSS vulnerability (CVE-2008-2025)
Summary: <dev-java/struts-1.2.9-r3 taglib XSS vulnerability (CVE-2008-2025)
Status: RESOLVED FIXED
Alias: CVE-2008-2025
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://download.opensuse.org/update/1...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-22 11:17 UTC by Robert Buchholz (RETIRED)
Modified: 2009-12-20 08:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-04-22 11:17:22 UTC 
CVE-2008-2025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2025):
  Cross-site scripting (XSS) vulnerability in Apache Struts before
  1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2
  on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and
  before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers
  to inject arbitrary web script or HTML via unspecified vectors
  related to "insufficient quoting of parameters."
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-04-22 11:18:14 UTC 
patch: https://bugzilla.redhat.com/attachment.cgi?id=338986
Comment 2 Petteri Räty (RETIRED) gentoo-dev 2009-04-22 11:29:05 UTC 
(In reply to comment #1)
> patch: https://bugzilla.redhat.com/attachment.cgi?id=338986
> 

Feel free to apply this yourself.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-10 20:08:31 UTC 
(In reply to comment #2)
> Feel free to apply this yourself.
> 

Tried, involved some weird ant breakage à la "BUILD FAILED
/var/tmp/portage/dev-java/struts-1.2.9-r3/work/struts-1.2.9-src/build.xml:231: /var/tmp/portage/dev-java/struts-1.2.9-r3/work/struts-1.2.9-src/lib not found."

As you know your eclasses and ant better than I do, Java team please do the bump.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-24 08:12:56 UTC 
+*struts-1.2.9-r3 (24 Aug 2009)
+
+  24 Aug 2009; Alex Legler <a3li@gentoo.org> +struts-1.2.9-r3.ebuild,
+  +files/struts-CVE-2008-2025.patch:
+  Non-maintainer commit: Revbump to fix security bug 267081 (CVE-2008-2025).
+
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-24 08:13:28 UTC 
Arches, please test and mark stable:
=dev-java/struts-1.2.9-r3
Target keywords : "amd64 ppc x86"
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-25 11:50:57 UTC 
x86 stable
Comment 7 Markus Meier gentoo-dev 2009-09-11 19:11:07 UTC 
amd64 stable
Comment 8 nixnut (RETIRED) gentoo-dev 2009-09-20 18:47:06 UTC 
ppc stable
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:51:15 UTC 
GLSA vote: no.
Comment 10 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-20 08:50:01 UTC 
XSS → noglsa