Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)
2017-12-12 16:22 GMT+01:00 upendar devu : > could someone please confirm what Jackson databind versions are impacted ? > we are using 2.7.1 version . Here is a list [1] of unimpacted versions, which means any other are impacted [1] https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-342983770 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)
could someone please confirm what Jackson databind versions are impacted ? we are using 2.7.1 version . On Tue, Dec 12, 2017 at 9:45 AM, Lukasz Lenart wrote: > 2017-12-12 15:29 GMT+01:00 Emi : > > Hello, > >> > >> vulnerability exists in a JSON Jackson library and it's registered under > >> CVE-2017-7525. > > > > I think you mean the following jars right? > > > > (1) jackson-core-2.9.2.jar > > (2) jackson-annotations-2.9.0.jar > > (3) jackson-databind-2.9.2.jar > > I didn't analyse which jars are affected by the CVE but I think you > are right and mostly it will be jackson-databind only. > > >> Please read the bulletin [1] and apply possible > >> solutions. This vulnerability impacts anyone using the vulnerable > >> Jackson JSON library (not only Struts users). > >> > >> [1] https://cwiki.apache.org/confluence/display/WW/S2-055 > > > > So, if do not use the above jars, it should be fine? > > Yes > > > Regards > -- > Łukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
Re: Unable to use 'categories' in an action name
Thank you so much for your help - I appreciate it. I ended up just renaming the action and corrected the other pages pointing to it. dave On Sun, Dec 10, 2017 at 11:56 PM, Yasser Zamani wrote: > > > On 12/10/2017 6:06 PM, Dave Weis wrote: > > Correct, I want 'categories' to be the correct action name. I made a > > duplicate with a different name but the same class and results and it > works > > fine. If I remove the first action I put in to test/reproduce this I > still > > get the same error. > > > > I have my struts.xml cut down to the below and I still can't get to > > /commerce/categories successfully but /commerce/knobhead works fine at > the > > same time. > > I locally tested exactly same configuration and both knobhead and > categories work here. > > If I were you, I would search all xml and java files for term > `categories`. Maybe an action, servlet, etc is defined with same name > somewhere via xml or annotation! > > I hope this helps, > Yasser. >
Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)
2017-12-12 15:29 GMT+01:00 Emi : > Hello, >> >> vulnerability exists in a JSON Jackson library and it's registered under >> CVE-2017-7525. > > I think you mean the following jars right? > > (1) jackson-core-2.9.2.jar > (2) jackson-annotations-2.9.0.jar > (3) jackson-databind-2.9.2.jar I didn't analyse which jars are affected by the CVE but I think you are right and mostly it will be jackson-databind only. >> Please read the bulletin [1] and apply possible >> solutions. This vulnerability impacts anyone using the vulnerable >> Jackson JSON library (not only Struts users). >> >> [1] https://cwiki.apache.org/confluence/display/WW/S2-055 > > So, if do not use the above jars, it should be fine? Yes Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: [ANN] [APACHE STRUTS] Security Bulletin S2-055: impact increased to High (related to CVE-2017-7525 - JSON Jackson library)
Hello, vulnerability exists in a JSON Jackson library and it's registered under CVE-2017-7525. I think you mean the following jars right? (1) jackson-core-2.9.2.jar (2) jackson-annotations-2.9.0.jar (3) jackson-databind-2.9.2.jar Please read the bulletin [1] and apply possible solutions. This vulnerability impacts anyone using the vulnerable Jackson JSON library (not only Struts users). [1] https://cwiki.apache.org/confluence/display/WW/S2-055 So, if do not use the above jars, it should be fine? Thanks. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org