2.3.15.2 and 2.3.15.3 address the same issue, but 2.3.15.2 breaks support for action: prefix, that's why we released 2.3.15.3 as well - even if you don't use action: prefix functionality it will be better upgrade to 2.3.15.3 and use the new flag to disable action: prefix which is safer option.
Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ 2013/12/11 Markus Fischer <markus.fisc...@knipp.de>: > Dear group, > > I hope that you can help to clear up my confusion about the current > status of Struts 2.3.15.2 with regards to the security vulnerability > S2-018 (see [1]). > > So far, it was my understanding that S2-018 is fixed with the 2.3.15.2 > release. And the release notes still suggest that this is the case (see > [2]). Also, in [3] the vulnerability is categorized as only affecting > Struts versions up to 2.3.15.1. > > But now I found that S2-018 is listed as vulnerability affecting Struts > 2.3.15.2 (see [4]). Also, the description of S2-018 currently states the > following: "In Struts 2 before 2.3.15.3, under certain conditions this > can be used to bypass security constraints." > > I am aware that there are backward compatibility issues with the action: > prefix not working with Struts 2.3.15.2. However, some of the projects I > am administrating (and which are running Struts 2.3.15.2) do not make > use of that feature. > > My question is: do I need to update those systems in order not to be > affected by a security vulnerability? Or is S2-018 merely listed as > affecting Struts 2.3.15.2 because of the backward compatibility issue, > but the security issue is fixed? > > Many tanks in advance, > Markus > > [1] http://struts.apache.org/development/2.x/docs/s2-018.html > > [2] http://struts.apache.org/development/2.x/docs/version-notes-23152.html > > [3] http://www.cvedetails.com/cve/CVE-2013-4310/ > > [4] http://struts.apache.org/downloads.html > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org