Bug#340583: marked as done (CVE-2005-3745: Cross-Site-Scriping vulnerability)

Debian Bug Tracking System owner at bugs.debian.org
Thu Dec 1 16:03:25 UTC 2005

Your message dated Thu, 01 Dec 2005 07:47:18 -0800
with message-id <E1EhqeU-00060G-4n at spohr.debian.org>
and subject line Bug#340583: fixed in libstruts1.2-java 1.2.8-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 24 Nov 2005 11:03:56 +0000
>From jmm at inutil.org Thu Nov 24 03:03:56 2005
Return-path: <jmm at inutil.org>
Received: from inutil.org ([] helo=vserver151.vserver151.serverflex.de)
	by spohr.debian.org with esmtp (Exim 4.50)
	id 1EfEtP-0005oH-S5
	for submit at bugs.debian.org; Thu, 24 Nov 2005 03:03:56 -0800
Received: from wlan-client-044.informatik.uni-bremen.de ([] helo=localhost.localdomain)
	by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
	(Exim 4.50)
	id 1EfEtO-0006hd-FM
	for submit at bugs.debian.org; Thu, 24 Nov 2005 12:03:54 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.54)
	id 1EfEtI-0001c4-1N; Thu, 24 Nov 2005 12:03:48 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm at inutil.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: CVE-2005-3745: Cross-Site-Scriping vulnerability
X-Mailer: reportbug 3.17
Date: Thu, 24 Nov 2005 12:03:48 +0100
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Message-Id: <E1EfEtI-0001c4-1N at localhost.localdomain>
X-SA-Exim-Mail-From: jmm at inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: libstruts1.2-java
Severity: grave
Tags: security
Justification: user security hole

A Cross-Site-Scriping vulnerability has been found in the request handler
for generating error messages. Please see 
http://www.securityfocus.com/archive/1/archive/1/417296/30/0/threaded for
more details.

It's been fixed upstream in 1.2.8.

This has been assigned CVE-2005-3745, please mention it in the changelog
when fixing it.


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)

Received: (at 340583-close) by bugs.debian.org; 1 Dec 2005 15:51:25 +0000
>From katie at ftp-master.debian.org Thu Dec 01 07:51:25 2005
Return-path: <katie at ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1EhqeU-00060G-4n; Thu, 01 Dec 2005 07:47:18 -0800
From: Wolfgang Baer <WBaer at gmx.de>
To: 340583-close at bugs.debian.org
X-Katie: $Revision: 1.60 $
Subject: Bug#340583: fixed in libstruts1.2-java 1.2.8-1
Message-Id: <E1EhqeU-00060G-4n at spohr.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Thu, 01 Dec 2005 07:47:18 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: libstruts1.2-java
Source-Version: 1.2.8-1

We believe that the bug you reported is fixed in the latest version of
libstruts1.2-java, which is due to be installed in the Debian FTP archive:

  to pool/main/libs/libstruts1.2-java/libstruts1.2-java_1.2.8-1.diff.gz
  to pool/main/libs/libstruts1.2-java/libstruts1.2-java_1.2.8-1.dsc
  to pool/main/libs/libstruts1.2-java/libstruts1.2-java_1.2.8-1_all.deb
  to pool/main/libs/libstruts1.2-java/libstruts1.2-java_1.2.8.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 340583 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Wolfgang Baer <WBaer at gmx.de> (supplier of updated libstruts1.2-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)

Hash: SHA1

Format: 1.7
Date: Tue, 29 Nov 2005 13:53:06 +0100
Source: libstruts1.2-java
Binary: libstruts1.2-java
Architecture: source all
Version: 1.2.8-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
Changed-By: Wolfgang Baer <WBaer at gmx.de>
 libstruts1.2-java - Java Framework for MVC web applications
Closes: 340583
 libstruts1.2-java (1.2.8-1) unstable; urgency=low
   * New upstream release
     Fixes a Cross-Site-Scriping vulnerability in the request handler for
     generating error messages, CVE-2005-3745 (closes: #340583)
   * Removed setting of DEB_ANT_COMPILER variable as already preset in kaffe
 908ce10eda11d3ebdd20355ae52cb7cc 1067 devel optional libstruts1.2-java_1.2.8-1.dsc
 99b90aed5fd29bb06b2b97f70da4b889 5747674 devel optional libstruts1.2-java_1.2.8.orig.tar.gz
 27687e9e9b15f6df41d30402ac9fc824 6177 devel optional libstruts1.2-java_1.2.8-1.diff.gz
 d10271cacf04fced0c92371e0fb831f8 664352 devel optional libstruts1.2-java_1.2.8-1_all.deb

Version: GnuPG v1.4.2 (GNU/Linux)


More information about the pkg-java-maintainers mailing list