Re: Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?

2015-09-04 Thread Dave Newton
It was actually a rebranding of an existing framework, but yep; separate
codebase.

On Fri, Sep 4, 2015 at 12:51 PM, David Gawron  wrote:

> Dave,
>
> Thanks for the quick reply.  It looked like Struts 2 was a rewrite so I
> assumed it was very unlikely that the same vulnerability existed in Struts
> 1, but I needed to ask.
>
> -Dave-
>
>
>
>
> From:   Dave Newton 
> To: Struts Users Mailing List 
> Date:   09/03/2015 05:01 PM
> Subject:Re: Is the vulnerability documented in CVE-2015-5169 also
> applicable to Struts 1?
>
>
>
> There's no such thing as `devMode` in Struts 1.
>
> Struts 1 vulnerabilities would be in Struts 1 announcements, although with
> the EOL, announcements and fixes may never happen.
>
> Struts 1 and Struts 2 have essentially zero in common.
>
> Dave
>
>
> On Thu, Sep 3, 2015 at 4:41 PM, David Gawron  wrote:
>
> > The security bulletin for CVE-2015-5169 (
> > https://struts.apache.org/docs/s2-025.html) only mentions Struts 2.
> Anyone
> > know if the vulnerability also exists in Struts 1 in some form?  I
> realize
> > Struts 1.x are no longer supported and that is why the bulletin doesn't
> > cover those releases.  I grabbed the 1.3.10 code and searched for the
> > devMode property (that property appears to be involved in the
> > vulnerability) and did not find any refs.  Searching for that property
> in
> > 2.x yields lots of references and leads me to believe the devMode
> > functionality was added in Struts 2.  If so, then that is good but not
> > conclusive evidence the vulnerability is not in Struts 1.  I'd
> appreciate
> > hearing  any info others have on CVE-2015-5169 and Struts 1.
> >
> > -Dave-
> >
> >
>
>
> --
> e: davelnew...@gmail.com
> m: 908-380-8699
> s: davelnewton_skype
> t: @dave_newton 
> b: Bucky Bits 
> g: davelnewton 
> so: Dave Newton 
>
>
>
>


-- 
e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton 
b: Bucky Bits 
g: davelnewton 
so: Dave Newton 


Re: Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?

2015-09-04 Thread David Gawron
Dave,

Thanks for the quick reply.  It looked like Struts 2 was a rewrite so I 
assumed it was very unlikely that the same vulnerability existed in Struts 
1, but I needed to ask.

-Dave-




From:   Dave Newton 
To: Struts Users Mailing List 
Date:   09/03/2015 05:01 PM
Subject:Re: Is the vulnerability documented in CVE-2015-5169 also 
applicable to Struts 1?



There's no such thing as `devMode` in Struts 1.

Struts 1 vulnerabilities would be in Struts 1 announcements, although with
the EOL, announcements and fixes may never happen.

Struts 1 and Struts 2 have essentially zero in common.

Dave


On Thu, Sep 3, 2015 at 4:41 PM, David Gawron  wrote:

> The security bulletin for CVE-2015-5169 (
> https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. 
Anyone
> know if the vulnerability also exists in Struts 1 in some form?  I 
realize
> Struts 1.x are no longer supported and that is why the bulletin doesn't
> cover those releases.  I grabbed the 1.3.10 code and searched for the
> devMode property (that property appears to be involved in the
> vulnerability) and did not find any refs.  Searching for that property 
in
> 2.x yields lots of references and leads me to believe the devMode
> functionality was added in Struts 2.  If so, then that is good but not
> conclusive evidence the vulnerability is not in Struts 1.  I'd 
appreciate
> hearing  any info others have on CVE-2015-5169 and Struts 1.
>
> -Dave-
>
>


-- 
e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton 
b: Bucky Bits 
g: davelnewton 
so: Dave Newton 





Re: Is the vulnerability documented in CVE-2015-5169 also applicable to Struts 1?

2015-09-03 Thread Dave Newton
There's no such thing as `devMode` in Struts 1.

Struts 1 vulnerabilities would be in Struts 1 announcements, although with
the EOL, announcements and fixes may never happen.

Struts 1 and Struts 2 have essentially zero in common.

Dave


On Thu, Sep 3, 2015 at 4:41 PM, David Gawron  wrote:

> The security bulletin for CVE-2015-5169 (
> https://struts.apache.org/docs/s2-025.html) only mentions Struts 2. Anyone
> know if the vulnerability also exists in Struts 1 in some form?  I realize
> Struts 1.x are no longer supported and that is why the bulletin doesn't
> cover those releases.  I grabbed the 1.3.10 code and searched for the
> devMode property (that property appears to be involved in the
> vulnerability) and did not find any refs.  Searching for that property in
> 2.x yields lots of references and leads me to believe the devMode
> functionality was added in Struts 2.  If so, then that is good but not
> conclusive evidence the vulnerability is not in Struts 1.  I'd appreciate
> hearing  any info others have on CVE-2015-5169 and Struts 1.
>
> -Dave-
>
>


-- 
e: davelnew...@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton 
b: Bucky Bits 
g: davelnewton 
so: Dave Newton