Return-Path: X-Original-To: apmail-continuum-users-archive@www.apache.org Delivered-To: apmail-continuum-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0FFACE6EF for ; Mon, 7 Jan 2013 04:33:48 +0000 (UTC) Received: (qmail 49929 invoked by uid 500); 7 Jan 2013 04:33:47 -0000 Delivered-To: apmail-continuum-users-archive@continuum.apache.org Received: (qmail 49788 invoked by uid 500); 7 Jan 2013 04:33:47 -0000 Mailing-List: contact users-help@continuum.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@continuum.apache.org Delivered-To: mailing list users@continuum.apache.org Received: (qmail 49773 invoked by uid 99); 7 Jan 2013 04:33:46 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Jan 2013 04:33:46 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.210.49] (HELO mail-da0-f49.google.com) (209.85.210.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Jan 2013 04:33:40 +0000 Received: by mail-da0-f49.google.com with SMTP id v40so8503425dad.36 for ; Sun, 06 Jan 2013 20:33:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:sender:from:content-type:content-transfer-encoding :reply-to:subject:date:message-id:to:mime-version:x-mailer :x-gm-message-state; bh=UoiJPsgPjul2VXSqMR1TwIwYddBvNKLhbaPJ9NYhSuA=; b=eModA4NHndHMJYbhhXAewVg/9n+YqDktpCEkFZlF/7B95d35xD3/BqdcEC0oqlpwzS bPt5sl8pZq4FQZbL0iTdI+WUelESewODYKF4mX3Jq2vC38Xt5UH+kokM5tKmVkCCGp+g zjvDxwuO0yaQVkyQx0ZF0/b3iwdm4fx6OXPcccFIFsM2pa4kcOl/TvZdMss+9b4W2Edq XHTIi+nJRkNeF+BDqwOCp2JRKfyY8Yh/z0tsOB7yBXJKatwqCM3bIL15zg1LpAjkMnnR yA84i4NZPNcUXw1UtqBPXZVAHj21/QpgMNUL+4JffspOkde57mC2eDPtxR3uNaPbWF+Z mmrw== X-Received: by 10.66.85.101 with SMTP id g5mr174709357paz.17.1357533199376; Sun, 06 Jan 2013 20:33:19 -0800 (PST) Received: from [10.0.0.10] (ppp121-44-117-99.lns20.syd6.internode.on.net. [121.44.117.99]) by mx.google.com with ESMTPS id im4sm4842095pbc.13.2013.01.06.20.33.16 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 06 Jan 2013 20:33:18 -0800 (PST) Sender: Brett Porter From: Brett Porter Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Reply-To: "users@continuum.apache.org" Subject: [SECURITY] CVE-2010-1870 Apache Continuum affected by Struts2 remote commands execution Date: Mon, 7 Jan 2013 15:33:16 +1100 Message-Id: To: "users@continuum.apache.org" Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) X-Mailer: Apple Mail (2.1499) X-Gm-Message-State: ALoCoQmx6/nxVfx6mJfv0ww5aB+BFJ05NVhmdBDeyu+bmaHf/zMyJr8Ja72TDq6LGdoQpH0YH3K2 X-Virus-Checked: Checked by ClamAV on apache.org CVE-2010-1870 Apache Continuum affected by Struts2 remote commands = execution Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Continuum 1.3.1 to Continuum 1.3.8 - Continuum 1.4.0 (Beta) Description: Apache Continuum is affected by a vulnerability in the version of the Struts library being used, which allows a malicious user to run code on = the server remotely. More details about the vulnerability can be found at http://struts.apache.org/2.2.1/docs/s2-005.html. Mitigation: All users of affected versions are recommended to upgrade to Continuum = 1.4.1, which configures Struts in such a way that it is not affected by = this issue. References: http://continuum.apache.org/security.html -- Brett Porter brett@apache.org http://brettporter.wordpress.com/ http://au.linkedin.com/in/brettporter http://twitter.com/brettporter