Return-Path: 
 <dev-return-65590-apmail-struts-dev-archive=struts.apache.org@struts.apache.org>
X-Original-To: apmail-struts-dev-archive@www.apache.org
Delivered-To: apmail-struts-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 400E110B47
	for <apmail-struts-dev-archive@www.apache.org>;
 Thu,  6 Mar 2014 17:07:32 +0000 (UTC)
Received: (qmail 75024 invoked by uid 500); 6 Mar 2014 17:07:31 -0000
Delivered-To: apmail-struts-dev-archive@struts.apache.org
Received: (qmail 74987 invoked by uid 500); 6 Mar 2014 17:07:30 -0000
Mailing-List: contact dev-help@struts.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:dev-unsubscribe@struts.apache.org>
List-Help: <mailto:dev-help@struts.apache.org>
List-Post: <mailto:dev@struts.apache.org>
List-Id: "Struts Developers List" <dev.struts.apache.org>
Reply-To: "Struts Developers List" <dev@struts.apache.org>
Delivered-To: mailing list dev@struts.apache.org
Received: (qmail 74973 invoked by uid 99); 6 Mar 2014 17:07:29 -0000
Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Mar 2014 17:07:29 +0000
Received: from localhost (HELO mail-yh0-f43.google.com) (127.0.0.1)
  (smtp-auth username lukaszlenart, mechanism plain)
  by minotaur.apache.org (qpsmtpd/0.29) with ESMTP;
 Thu, 06 Mar 2014 17:07:28 +0000
Received: by mail-yh0-f43.google.com with SMTP id b6so2922503yha.2
        for <multiple recipients>; Thu, 06 Mar 2014 09:07:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=9VFgWW+5kEuhezfRPiOdkp1x89phbJ/Ndvsj3kPqPWw=;
        b=cxT/1qj/H8acj3FwJbHN9ASAin2u9JC6V43rUrE79jwf6IEmax/gWEyINoJ/IgHLJ+
         Tu9MPEMkDswz10JvGMKgVFOICniZ94EPh1C+2BW5QvTAmN7T8Ae/lsI2L0g1qSbN//zI
         1ReBmsrA5zTDvh16f5lFVxiDwUGqOGYDbb1DvVMjez+FgJ4G2GUehmRpuyMP+RUcX+9Y
         1th1SaAfk77q40nG5p6CjCO5lHkxeBUgO2119+bHieDpi+7wk/ZcE3LCmaABIA01S+Sk
         73hXJ0fJlkkVRMlBgqobOqlK9/qGi5n1vFgFEoImTfmlfnChaiyZELs8uZq80uUuw273
         CzDA==
X-Received: by 10.236.51.71 with SMTP id a47mr16277219yhc.100.1394125647520;
 Thu, 06 Mar 2014 09:07:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.170.75.131 with HTTP; Thu, 6 Mar 2014 09:07:07 -0800 (PST)
In-Reply-To: <20140306154309.GY3070@sentinelchicken.org>
References: 
 <CAMopvkMiARKCE1yUDw16ZTofH4S6pbh=-62muYzwG9Ayf7CNyg@mail.gmail.com>
 <20140306154309.GY3070@sentinelchicken.org>
From: Lukasz Lenart <lukaszlenart@apache.org>
Date: Thu, 6 Mar 2014 18:07:07 +0100
Message-ID: 
 <CAMopvkPO-vUYXr2HkaFakYY3+9jfSnN8QV2dTg_oTc6EL9z38w@mail.gmail.com>
Subject: Re: [Full-disclosure] [ANN] Struts 2.3.16.1 GA release available -
 security fix
To: Tim <tim-security@sentinelchicken.org>
Cc: Struts Users Mailing List <user@struts.apache.org>,
 Struts Developers List <dev@struts.apache.org>,
	announcements@struts.apache.org, "security@apache.org" <security@apache.org>,
	full-disclosure@lists.grok.org.uk
Content-Type: text/plain; charset=UTF-8

No, rather no. You gain access to ClassLoader.

2014-03-06 16:43 GMT+01:00 Tim <tim-security@sentinelchicken.org>:
>
>> This release includes important security fixes:
>> - S2-020 - ClassLoader manipulation via request parameters
>
> What is the ultimate impact of this manipulation?  Another RCE bug?
>
> tim

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org