From user-return-219149-archive-asf-public=cust-asf.ponee.io@struts.apache.org Mon Nov 5 14:35:37 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 4C35A180670 for ; Mon, 5 Nov 2018 14:35:37 +0100 (CET) Received: (qmail 39788 invoked by uid 500); 5 Nov 2018 13:35:36 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 39777 invoked by uid 99); 5 Nov 2018 13:35:35 -0000 Received: from mail-relay.apache.org (HELO mailrelay1-lw-us.apache.org) (207.244.88.152) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Nov 2018 13:35:35 +0000 Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 144B9D6A for ; Mon, 5 Nov 2018 13:35:35 +0000 (UTC) Received: by mail-lf1-f44.google.com with SMTP id m18-v6so6120959lfl.11 for ; Mon, 05 Nov 2018 05:35:35 -0800 (PST) X-Gm-Message-State: AGRZ1gIW4pBe1qtCoIAbzNc6ptovV4uukkH+GuygCH0EvCAwhdnxGetE feW+LTDaN0Xc4GLoCQ7D76ChQKDWhDAuf7CsO5Y= X-Google-Smtp-Source: AJdET5eNtpiJw7S+sytelGOy7x7zFj9Ht26XRc7oeHws2B3yBgkvlhtJfjpOfBuw6cQM63foL6ytMUhRSvrOtUidH34= X-Received: by 2002:a19:d145:: with SMTP id i66mr12939574lfg.97.1541424933577; Mon, 05 Nov 2018 05:35:33 -0800 (PST) MIME-Version: 1.0 References: <3b9e522e9e574dac92084f2ad7233b90@vrtsxchclupin09.community.veritas.com> In-Reply-To: From: Lukasz Lenart Date: Mon, 5 Nov 2018 14:35:22 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [EXTERNAL] Re: Question Regarding Recent Security Announcement To: Struts Users Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable pon., 5 lis 2018 o 13:33 David Dillard napisa= =C5=82(a): > > Ok, that addresses one question, but still leaves one: why is it being re= commended to update File Upload NOW due to a possible DoS, when Struts has = been using a version of File Upload with no documented DoS issue for the la= st six releases??? > Or put another way, Struts 2.3.35 uses File Upload 1.3.2. File Upload 1.= 3.2 currently has no documented DoS issue. Now, you're saying to update to= File Upload 1.3.3 to fix a DoS issue. Why? We announced the same few months ago [1] and there was just one release (Struts 2.3.35) that missed the thing [2]. And we won't be releasing a new version just because some of dependencies was discovered to be vulnerable. And yes, we missed that the Struts 2.3.35 and Struts 2.3.36 are using vulnerable library. There is a known vulnerability that affects 1.3.2 and prior versions of commons-fileupload [3]. It's a RCE attack not a DoS. [1] https://struts.apache.org/announce.html#a20180323 [2] https://struts.apache.org/releases.html [3] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031 Regards -- =C5=81ukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org