Well, this was the first hit on google: http://www.microsoft.com/technet/security/bulletin/rating.mspx
Therefore, I'd say Moderate to Important. Don On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote: > Yes, sounds good to me. How about the criticality rating in the > bulletin? "Critical" was - I have to admit :) - just copied from 001, > what would be a fitting rating here? > > Don Brown schrieb: > > > What about: > > > > * All developers are strongly advised to update Struts 2 applications > > to Struts 2.0.11.1 to prevent XSS attacks through Struts 2 tags. > > > > In this way, we aren't quite so "in-your-face" and a quick summary of > > the issue and what part of Struts 2 is affected is included. The > > qualifier is probably important as not all apps use the affected > > Struts 2 tags and since the release just includes that one fix, it is > > valuable to specify exactly what has been fixed. > > > > Still, these are all minor things - the important thing is that you > > got this release out so quickly and for that, we are all very grateful > > :) > > > > Don > > > > On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote: > >> Agreed. How should we put it better? > >> > >> Don Brown schrieb: > >> > >>> Good point. This pales in comparison to, say, the OGNL remote code > >> > exploit. XSS exploits, while important, just aren't anywhere near as > >> > big of deal. > >> > > >> > Don > >> > > >> > On Tue, Mar 4, 2008 at 12:43 PM, Jeromy Evans > >> > <[EMAIL PROTECTED]> wrote: > >> >> My opinion is that the criticality is overstated. > >> >> However it is useful to draw attention to the vulnerability. > >> >> > >> >> > >> >> > >> >> Don Brown wrote: > >> >> > Looks good. Thanks for creating a security bulletin as well. > >> >> > > >> >> > Don > >> >> > > >> >> > On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote: > >> >> > > >> >> >> The release has been submitted for mirroring. Here's a draft > >> >> >> announcement that we could post tomorrow morning, including a > link to a > >> >> >> corresponding security bulletin announcement in the wiki. > Comments and > >> >> >> corrections to both texts are highly appreciated. > >> >> >> > >> >> >> ---- > >> >> >> > >> >> >> Apache Struts 2.0.11.1 is now available from > >> >> >> <http://struts.apache.org/download.cgi#struts20111>. > >> >> >> > >> >> >> This release is a fast track security fix release, including > important > >> >> >> security fixes regarding possible cross site scripting exploits. > For > >> >> >> more information about the exploits, visit our security > bulletins page at > >> >> >> <http://cwiki.apache.org/confluence/display/WW/S2-002>. > >> >> >> > >> >> >> * ALL DEVELOPERS ARE STRONGLY ADVISED TO UPDATE TO STRUTS > 2.0.11.1 > >> >> >> IMMEDIATELY! > >> >> >> > >> >> >> For the complete release notes for Struts 2.0.11.1, see > >> >> >> > <http://cwiki.apache.org/confluence/display/WW/Release+Notes+2.0.11.1>. > >> >> >> > >> >> >> > --------------------------------------------------------------------- > >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> >> >> For additional commands, e-mail: [EMAIL PROTECTED] > >> >> >> > >> >> >> > >> >> >> > >> >> > > >> >> > > --------------------------------------------------------------------- > >> >> > To unsubscribe, e-mail: [EMAIL PROTECTED] > >> >> > For additional commands, e-mail: [EMAIL PROTECTED] > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > >> >> > >> >> --------------------------------------------------------------------- > >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> >> For additional commands, e-mail: [EMAIL PROTECTED] > >> >> > >> >> > >> > > >> > --------------------------------------------------------------------- > >> > To unsubscribe, e-mail: [EMAIL PROTECTED] > >> > For additional commands, e-mail: [EMAIL PROTECTED] > >> > > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
