CVE-2008-2025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2025): Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters."
patch: https://bugzilla.redhat.com/attachment.cgi?id=338986
(In reply to comment #1) > patch: https://bugzilla.redhat.com/attachment.cgi?id=338986 > Feel free to apply this yourself.
(In reply to comment #2) > Feel free to apply this yourself. > Tried, involved some weird ant breakage à la "BUILD FAILED /var/tmp/portage/dev-java/struts-1.2.9-r3/work/struts-1.2.9-src/build.xml:231: /var/tmp/portage/dev-java/struts-1.2.9-r3/work/struts-1.2.9-src/lib not found." As you know your eclasses and ant better than I do, Java team please do the bump.
+*struts-1.2.9-r3 (24 Aug 2009) + + 24 Aug 2009; Alex Legler <a3li@gentoo.org> +struts-1.2.9-r3.ebuild, + +files/struts-CVE-2008-2025.patch: + Non-maintainer commit: Revbump to fix security bug 267081 (CVE-2008-2025). +
Arches, please test and mark stable: =dev-java/struts-1.2.9-r3 Target keywords : "amd64 ppc x86"
x86 stable
amd64 stable
ppc stable
GLSA vote: no.
XSS → noglsa