>> 1) Does this security issue exist in struts 1 (1.2.9 specifically)?
No. The recent exploit that was fixed in 2.3.15.1 was Struts 2 specific. >> 2) Is there migration documentation or advice that is available regarding moving from struts 1 to struts 2? Unsure. Struts 1 and Struts 2 are entirely different frameworks that just share a common name. You're probably going to need to re-write (or at least re-factor) all of your actions to migrate. Also, your view layer will need to be updated. >> 3) While likely application dependent, can anyone give me a swag on level of effort to migrate? Depends on how many actions you have and how they're written. On Tue, Aug 20, 2013 at 12:25 PM, Bourke, Peter <peter.bou...@staples.com>wrote: > Hello, > I'm a maintainer of a struts 1 application. I am not an experienced struts > developer and I've just subscribed to the developer mailing list. > I've become aware of the recent security vulnerability and am researching > how best to fix. > While we were looking to upgrade to struts 2, this security issue has > increased the visibility and importance of migrating. > The questions below will help me determine the level of effort. > 1) Does this security issue exist in struts 1 (1.2.9 specifically)? > 2) Is there migration documentation or advice that is available regarding > moving from struts 1 to struts 2? > 3) While likely application dependent, can anyone give me a swag on level > of effort to migrate? > > Current version of struts: > > From our version of struts.jar, the Manifest.mf file is: > > > > Manifest-Version: 1.0 > > Ant-Version: Apache Ant 1.6.1 > > Created-By: 1.3.1_04-b02 (Sun Microsystems Inc.) > > Extension-Name: Struts Framework > > Specification-Title: Struts Framework > > Specification-Vendor: The Apache Software Foundation > > Specification-Version: 1.2.9 > > Implementation-Title: Struts Framework > > Implementation-Vendor: The Apache Software Foundation > > Implementation-Vendor-Id: org.apache > > Implementation-Version: 1.2.9 > > Class-Path: commons-beanutils.jar commons-digester.jar commons-fileup > load.jar commons-logging.jar commons-validator.jar jakarta-oro.jar > > Thank you, > > Peter > >
