struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Is there a future 2.3.x release for CVE-2018-7489 recently
Date Fri, 30 Mar 2018 07:50:43 GMT
2018-03-30 5:14 GMT+02:00 song6295@gmail.com <song6295@gmail.com>:
> My team need to fix CVE-2018-7489 in few days and there's lots code changes if we migrate
to 2.5.x.
> Where I can find the release schedule plans for struts2?

Not sure what do you mean by that? This vulnerability is only possible
to happen when you are using @JsonTypeInfo on Object (which means you
are using a very broad pattern) or if enabled "default typing" in
Jackson. Please read this [1] article for a full story

[1] https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message