On Jan 11, 2012, at 7:07 AM, Slawomir Jasek wrote: > I believe Roller-5.0.0 is bundled with: > Struts-2.1.1 > Spring-2.5.6 > > There are some security vulnerabilities known in these versions: > > http://struts.apache.org/2.x/docs/s2-006.html > http://struts.apache.org/2.x/docs/s2-007.html > http://struts.apache.org/2.x/docs/s2-008.html > > http://www.springsource.com/security/spring-framework
> And some of them are marked as serious. > > Could you please explain me if these vulnerabilities have any chance to > be exploited in Roller? Unfortunatelly I am not a programmer, and can > not deduce it from source code. > > Would you be so nice to check btw if Roller-4.0.1, bundled with > Struts-2.0.9 (which has even more security vulnerabilities), is also > endangered? The most disturbing is > > http://struts.apache.org/2.x/docs/s2-005.html > > which I believe allows among others for unrestricted static java code > execution (for example with java.lang.Runtime exec()) with just single > crafted URL. > > Do you follow any security procedures of upgrading external > libraries/frameworks? Do you issue any kind of Security Bulettin in such > cases? It's possible that those library vulnerabilities could be exploited, but I can't be sure without further investigation. The safest thing to do is probably to switch out those libraries for the newer security-fixed versions. I'll check to see if that can be done fairly easily. I'm not aware of a relevant security procedure, but I'll do some research and see if there is a policy or procedure that we should be following. - Dave
