Re: Quick question on the patch for CVE-2018-11776
wt., 4 wrz 2018 o 07:31 Akkina, Rahul Anand napisał(a): > > Hi Team, > > Greetings for the day ! > > One of the applications(very old) which we host uses struts 1.1 and to just > add to guarantee we are not exposing any action path with url pattern /* , > Going by the details posted below forums the vulnerability is specific to > struts 2 vulnerabilities. > > https://cwiki.apache.org/confluence/display/WW/S2-057 > https://semmle.com/news/apache-struts-CVE-2018-11776 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776 > https://lgtm.com/blog/apache_struts_CVE-2018-11776 > > We do understand that struts 1.x is no longer supported by the community and > needs to be upgraded. Having said is our assertion on the affects of > vulnerability correct ? I would assume yes, but I cannot guarantee that as we do not perform any tests against Struts 1. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Quick question on the patch for CVE-2018-11776
Hi Team, Greetings for the day ! One of the applications(very old) which we host uses struts 1.1 and to just add to guarantee we are not exposing any action path with url pattern /* , Going by the details posted below forums the vulnerability is specific to struts 2 vulnerabilities. https://cwiki.apache.org/confluence/display/WW/S2-057 https://semmle.com/news/apache-struts-CVE-2018-11776 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776 https://lgtm.com/blog/apache_struts_CVE-2018-11776 We do understand that struts 1.x is no longer supported by the community and needs to be upgraded. Having said is our assertion on the affects of vulnerability correct ? Thanks, Rahul Anand Akkina
RE: Quick question on the patch for CVE-2018-11776
>From: Kiran Ananthpur Bacche (kbacche) >Sent: Friday, August 31, 2018 7:27 AM >To: user@struts.apache.org >Subject: Quick question on the patch for CVE-2018-11776 > >Hi Team, > >Version 2.3.35 is the official patch for this vulnerability. However v2.3.35 >has a >bunch of other fixes too. > >So if we want the patch for only "CVE-2018-11776", what are the options >available? > >Is the fix for "CVE-2018-11776" contained completely in >DefaultActionMapper.java? > >Given that there was a backward compatibility issue seen with upgrade from >2.3.34 to 2.3.35 (ref: https://www.mail- >archive.com/us...@maven.apache.org/msg140838.html), we are checking to >see if there is a way to have a patch that fixes only "CVE-2018-11776". Hi, We are so sorry for inconvenience :( We have fixed it and a new small release will be available soon. Regards. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org