Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D703D11117 for ; Thu, 24 Apr 2014 15:33:07 +0000 (UTC) Received: (qmail 36808 invoked by uid 500); 24 Apr 2014 15:32:55 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 36289 invoked by uid 500); 24 Apr 2014 15:32:51 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 36257 invoked by uid 99); 24 Apr 2014 15:32:50 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Apr 2014 15:32:50 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [85.214.44.140] (HELO e.nrgie.net) (85.214.44.140) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Apr 2014 15:32:44 +0000 Received: from Renes-MacBook-Pro.local (p508A37D8.dip0.t-ipconnect.de [80.138.55.216]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by e.nrgie.net (Postfix) with ESMTP id A5A33EFC0FE; Thu, 24 Apr 2014 18:57:20 +0200 (CEST) Message-ID: <53592E84.5010505@apache.org> Date: Thu, 24 Apr 2014 17:32:20 +0200 From: Rene Gielen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Struts Users Mailing List , Struts Developers List , announcements@struts.apache.org Subject: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, the correction wasn't sufficient. A security fix release fully addressing this issue is in preparation and will be released as soon as possible. Once the release is available, all Struts 2 users are strongly recommended to update their installations. * Until the release is available, all Struts 2 users are strongly recommended to apply the mitigation described [1] * Please follow the Apache Struts announcement channels [2][3][4][5] to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours. Please prepare for upgrading all Struts 2 based production systems to the new release version once available. - The Apache Struts Team. [1] http://struts.apache.org/announce.html#a20140424 [2] http://struts.apache.org/mail.html [3] http://struts.apache.org/announce.html [4] https://plus.google.com/+ApacheStruts/posts [5] https://twitter.com/TheApacheStruts -- Ren� Gielen http://twitter.com/rgielen --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org