struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rene Gielen <gie...@it-neering.net>
Subject Re: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical)
Date Thu, 24 Apr 2014 18:39:11 GMT 
Yes.

Am 24.04.14 19:37, schrieb emilu@cse.concordia.ca:
> Hello List,
> 
> I am using tiles-default:
> <struts>
>    <package name="Example" namespace="/Action/Example"
> extends="tiles-default">
>       <result-types>
>          <result-type name="tiles"
> class="org.apache.struts2.views.tiles.TilesResult" />
>       </result-types>
> 
>       <action name="*ProcessExampleAction"  method="{1}"
> class="ExampleAction">
>          <result name="success"   type="tiles">success_gui</result>
>          <result name="ajax_check">
>                 /WEB-INF/pages/errorinfo/ajax_error_check.jsp
>           </result>
>       </action>
> Do I need this update below as well?  Thank you!
> 
> On 04/24/2014 11:32 AM, Rene Gielen wrote:
>> In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
>> parameters was supposed to be resolved. Unfortunately, the correction
>> wasn't sufficient.
>>
>> A security fix release fully addressing this issue is in preparation and
>> will be released as soon as possible.
>>
>> Once the release is available, all Struts 2 users are strongly
>> recommended to update their installations.
>>
>> * Until the release is available, all Struts 2 users are strongly
>> recommended to apply the mitigation described [1] *
>>
>> Please follow the Apache Struts announcement channels [2][3][4][5] to
>> stay updated regarding the upcoming security release. Most likely the
>> release will be available within the next 72 hours. Please prepare for
>> upgrading all Struts 2 based production systems to the new release
>> version once available.
>>
>> - The Apache Struts Team.
>>
>> [1] http://struts.apache.org/announce.html#a20140424
>> [2] http://struts.apache.org/mail.html
>> [3] http://struts.apache.org/announce.html
>> [4] https://plus.google.com/+ApacheStruts/posts
>> [5] https://twitter.com/TheApacheStruts
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 

-- 
René Gielen
IT-Neering.net
Saarstrasse 100, 52062 Aachen, Germany
Tel: +49-(0)241-4010770
Fax: +49-(0)241-4010771
Cel: +49-(0)163-2844164
http://twitter.com/rgielen

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Mime
View raw message