Re: FYI

2013-08-05 Thread Rene Gielen
Am 06.08.13 07:39, schrieb Lukasz Lenart: > 2013/8/5 Dave Newton : >> I expect most of you already saw (or assumed) this, but just in case: >> >> https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2013-08-05 >> >> Oh OGNL. > > Last time guys from Atlassian contacted with us

Re: FYI

2013-08-05 Thread Lukasz Lenart
2013/8/5 Dave Newton : > I expect most of you already saw (or assumed) this, but just in case: > > https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2013-08-05 > > Oh OGNL. Last time guys from Atlassian contacted with us directly, so I assume if this issue affects Struts, t

Re: FYI

2013-08-05 Thread Paul Benedict
Steven, I believe it's the other way around. The advisory affects XWork, but Atlassian has patched their private version of XWork to remove the vulnerability. Paul On Mon, Aug 5, 2013 at 9:35 PM, Steven Benitez wrote: > The advisory indicates this affects Atlassian's build of xwork. Does this

Re: FYI

2013-08-05 Thread Steven Benitez
The advisory indicates this affects Atlassian's build of xwork. Does this also affect the official build of xwork? I'm guessing not. On Mon, Aug 5, 2013 at 5:23 PM, Martin Gainty wrote: > so..to mitigate > > struts-2.0.9 + > > ? > Martin > > > > > > Date: Mon, 5 Aug 2013 14:37:24 -0400 > > Subj

RE: FYI

2013-08-05 Thread Martin Gainty
so..to mitigate struts-2.0.9 + ? Martin > Date: Mon, 5 Aug 2013 14:37:24 -0400 > Subject: FYI > From: [email protected] > To: [email protected] > > I expect most of you already saw (or assumed) this, but just in case: > > https://confluence.atlassian.com/display/DOC/Confluence+

RE: FYI

2013-08-05 Thread Martin Gainty
so..to mitigate struts-2.0.9 + ? Martin > Date: Mon, 5 Aug 2013 14:37:24 -0400 > Subject: FYI > From: [email protected] > To: [email protected] > > I expect most of you already saw (or assumed) this, but just in case: > > https://confluence.atlassian.com/display/DOC/Confluence+

RE: FYI

2013-08-05 Thread Martin Gainty
so..to mitigate struts-2.0.9 + ? Martin > Date: Mon, 5 Aug 2013 14:37:24 -0400 > Subject: FYI > From: [email protected] > To: [email protected] > > I expect most of you already saw (or assumed) this, but just in case: > > https://confluence.atlassian.com/display/DOC/Confluence+

Re: FYI

2013-08-05 Thread Paul Benedict
On a related note, I'd like to know if Struts allows OGNL interpretation through request parameters? I hope the answer is no. OGNL should be server-side scripting only. On Mon, Aug 5, 2013 at 1:37 PM, Dave Newton wrote: > I expect most of you already saw (or assumed) this, but just in case: > >

FYI

2013-08-05 Thread Dave Newton
I expect most of you already saw (or assumed) this, but just in case: https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2013-08-05 Oh OGNL. Dave