struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Walter.Heesterm...@toyota-europe.com
Subject Re: Fix security vulnerability
Date Thu, 10 Jul 2014 12:55:37 GMT
seems to be fixed in 1.3.11 or later, but no release date yet

Walter




From:   Ruchika Mahajan <ruchika.mahajan22@gmail.com>
To:     Struts Users Mailing List <user@struts.apache.org>, 
Date:   10/07/2014 07:24
Subject:        Re: Fix security vulnerability



Hi,

CVE-2014-0114 was present till 1.3.10 version. In
https://issues.apache.org/jira/browse/STR/?selectedTab=com.atlassian.jira.jira-projects-plugin:roadmap-panel

link
there are releases for 1.x after 1.3.10. So just wanted to confirm, is
CVE-2014-0114 fixed in any of the later releases of 1.3.10 or it is yet to
be fixed.

BR,
Ruchika


On Thu, Jul 10, 2014 at 2:40 AM, Paul Benedict <pbenedict@apache.org> 
wrote:

> Yes, we have releases planned:
>
> 
https://issues.apache.org/jira/browse/STR/?selectedTab=com.atlassian.jira.jira-projects-plugin:roadmap-panel

>
>
> Cheers,
> Paul
>
>
> On Wed, Jul 9, 2014 at 4:08 PM, Dave Newton <davelnewton@gmail.com> 
wrote:
>
> > I'm not sure.
> >
> > In the meantime:
> >
> >
> >
> 
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U72vCa1VRF9

> >
> > Dave
> >
> >
> >
> > On Wed, Jul 9, 2014 at 5:01 PM, <Walter.Heestermans@toyota-europe.com>
> > wrote:
> >
> > > Hi,
> > >
> > > http://www.cvedetails.com/cve/CVE-2014-0114/
> > >
> > > Is there a planned fix for version 1.x?
> > >
> > > Regards
> > > Walter
> > >
> > >
> > >
> > >
> > > This e-mail may contain confidential information.
> > > If you are not an addressee or otherwise authorised to receive this
> > > message, you should not use, copy, disclose or take any action based 
on
> > > this e-mail.
> > > If you have received this e-mail in error, please inform the sender
> > > promptly and delete this message and any attachments immediately.
> >
> >
> >
> >
> > --
> > e: davelnewton@gmail.com
> > m: 908-380-8699
> > s: davelnewton_skype
> > t: @dave_newton <https://twitter.com/dave_newton>
> > b: Bucky Bits <http://buckybits.blogspot.com/>
> > g: davelnewton <https://github.com/davelnewton>
> > so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
> >
>





This e-mail may contain confidential information.
If you are not an addressee or otherwise authorised to receive this message, you should not
use, copy, disclose or take any action based on this e-mail. 
If you have received this e-mail in error, please inform the sender promptly and delete this
message and any attachments immediately.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message