struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kiran Ananthpur Bacche (kbacche)" <kbac...@cisco.com.INVALID>
Subject Quick question on the patch for CVE-2018-11776
Date Fri, 31 Aug 2018 02:57:23 GMT
Hi Team,

Version 2.3.35 is the official patch for this vulnerability. However v2.3.35 has a bunch of
other fixes too.

So if we want the patch for only "CVE-2018-11776", what are the options available?

Is the fix for "CVE-2018-11776" contained completely in DefaultActionMapper.java?

Given that there was a backward compatibility issue seen with upgrade from 2.3.34 to 2.3.35
(ref: https://www.mail-archive.com/users@maven.apache.org/msg140838.html), we are checking
to see if there is a way to have a patch that fixes only "CVE-2018-11776".

Thanks
    Kiran


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message