Eric: > I certainly hope you are right. Though I believe the version you listed is > the RedHat package, not the one in the jpackage repo that the install > documents indicate. That is struts-1.3.8-2.jpp5.noarch. That version > already pops in 3 different scanner products for other vulnerabilities.
Hello, As Avi already mentioned CVE-2017-5638 is relevant to struts v2. Spacewlk uses older struts v1. Security issues reported against v1 in the past has been fixed or mitigated by spacewalk configuration. Regards, > Happy Connecting. Sent from my Sprint Samsung Galaxy S® 5 Sport > > -------- Original message -------- > > Hi, > > The CVE is applicable to struts2, while the version from JPackage is > struts-1.3.10-12.el7.noarch. I’m assuming (hoping) that it’s actually too old > to be vulnerable. > > Cheers, > Avi > > > On 9 Mar 2017, at 5:49 am, Eric <[email protected]> wrote: > > > > CVE-2017-5638 > > > > Struts. Our struts package is from the Generic Jpackage repository. The > > struts rpm there has not been maintained for years. The current build > > directions point at that repository, so I believe that makes ALL current > > versions of Spacewalk, including 2.6, vulnerable. > > > > Thoughts? I believe it's applicable, but I may be mistaken, please correct > > me > > if I'm wrong!!! > > > > If it is vulnerable, is there an alternative package that is known to work > > with Spacewalk? I am facing the very real possibility of being required to > > take my Spacewalk server offline today, a huge impact to my environment. > > > > Thanks! -- Michael Mráka System Management Engineering, Red Hat _______________________________________________ Spacewalk-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/spacewalk-list
