Hi Lukasz, Sorry I paste the wrong CVE identifier in subject, the CVE I want to check is CVE-2018-1327(S2-056, Affected Software, Struts 2.1.1 - Struts 2.5.14.1).
Actually, my application don't even have Struts REST plugin jars in it's package. But seems one of my big customer have very strict security policies: They found there's struts 2.3.x in my application, and there's vulnerability in struts jars, so their security request operation team to shutdown the application server before this get fixed. So I want to check is there any plan on 2.3.x releases? Thanks. On 2018/03/30 07:50:43, Lukasz Lenart <lukaszlen...@apache.org> wrote: > 2018-03-30 5:14 GMT+02:00 song6...@gmail.com <song6...@gmail.com>: > > My team need to fix CVE-2018-7489 in few days and there's lots code changes > > if we migrate to 2.5.x. > > Where I can find the release schedule plans for struts2? > > Not sure what do you mean by that? This vulnerability is only possible > to happen when you are using @JsonTypeInfo on Object (which means you > are using a very broad pattern) or if enabled "default typing" in > Jackson. Please read this [1] article for a full story > > [1] > https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 > > > Regards > -- > Åukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org