Hello, I'm a maintainer of a struts 1 application. I am not an experienced struts developer and I've just subscribed to the developer mailing list. I've become aware of the recent security vulnerability and am researching how best to fix. While we were looking to upgrade to struts 2, this security issue has increased the visibility and importance of migrating. The questions below will help me determine the level of effort. 1) Does this security issue exist in struts 1 (1.2.9 specifically)? 2) Is there migration documentation or advice that is available regarding moving from struts 1 to struts 2? 3) While likely application dependent, can anyone give me a swag on level of effort to migrate?
Current version of struts: >From our version of struts.jar, the Manifest.mf file is: Manifest-Version: 1.0 Ant-Version: Apache Ant 1.6.1 Created-By: 1.3.1_04-b02 (Sun Microsystems Inc.) Extension-Name: Struts Framework Specification-Title: Struts Framework Specification-Vendor: The Apache Software Foundation Specification-Version: 1.2.9 Implementation-Title: Struts Framework Implementation-Vendor: The Apache Software Foundation Implementation-Vendor-Id: org.apache Implementation-Version: 1.2.9 Class-Path: commons-beanutils.jar commons-digester.jar commons-fileup load.jar commons-logging.jar commons-validator.jar jakarta-oro.jar Thank you, Peter
