pon., 5 lis 2018 o 13:33 David Dillard <david.dill...@veritas.com> napisał(a): > > Ok, that addresses one question, but still leaves one: why is it being > recommended to update File Upload NOW due to a possible DoS, when Struts has > been using a version of File Upload with no documented DoS issue for the last > six releases???
> Or put another way, Struts 2.3.35 uses File Upload 1.3.2. File Upload 1.3.2 > currently has no documented DoS issue. Now, you're saying to update to File > Upload 1.3.3 to fix a DoS issue. Why? We announced the same few months ago [1] and there was just one release (Struts 2.3.35) that missed the thing [2]. And we won't be releasing a new version just because some of dependencies was discovered to be vulnerable. And yes, we missed that the Struts 2.3.35 and Struts 2.3.36 are using vulnerable library. There is a known vulnerability that affects 1.3.2 and prior versions of commons-fileupload [3]. It's a RCE attack not a DoS. [1] https://struts.apache.org/announce.html#a20180323 [2] https://struts.apache.org/releases.html [3] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031 Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
