Bug#779621: jakarta-taglibs-standard: CVE-2015-0254

Miguel Landaeta nomadium at debian.org
Sat Mar 14 17:03:52 UTC 2015


owner 779621 !
thanks

On Tue, Mar 03, 2015 at 07:57:36AM +0100, Moritz Muehlenhoff wrote:
> Package: jakarta-taglibs-standard
> Severity: important
> Tags: security
> 
> Please see
> http://www.securityfocus.com/archive/1/534772
> 
> Cheers,
>         Moritz
> 
> 

Hi,

I can try to backport the fix introduced in jakarta taglibs 2.1.3.
However, I can't make promises that the result is even applicable to
the outdated version we have in the archive (1.1.2).

It looks like the diff is going to be really big for this late stage in
the release cycle. I mean, the full diff between 2.1.1 and 2.1.3 has almost
7000 lines. Even if I carefully manage to successfully backport only the
fix, the diff is going to be big.

Upstream implemented the fix in a new class org.apache.taglibs.standard.util.XmlUtil
with 389 LoC...

I'll try to come up with something or report if I failed at that.

Cheers,

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150314/e7ad991f/attachment.sig>


More information about the pkg-java-maintainers mailing list