[prev in list] [next in list] [prev in thread] [next in thread]
List: struts-user
Subject: Re: [EXTERNAL] Re: Question Regarding Recent Security Announcement
From: Lukasz Lenart <lukaszlenart () apache ! org>
Date: 2018-11-05 13:35:22
Message-ID: CAMopvkNG97pyoZ_+Z10_+kTz1MB_DGUOnyGjC1itA2_cfrQSDg () mail ! gmail ! com
[Download RAW message or body]
pon., 5 lis 2018 o 13:33 David Dillard <David.Dillard@veritas.com> napisa=
=C5=82(a):
>
> Ok, that addresses one question, but still leaves one: why is it being re=
commended to update File Upload NOW due to a possible DoS, when Struts has =
been using a version of File Upload with no documented DoS issue for the la=
st six releases???
> Or put another way, Struts 2.3.35 uses File Upload 1.3.2. File Upload 1.=
3.2 currently has no documented DoS issue. Now, you're saying to update to=
File Upload 1.3.3 to fix a DoS issue. Why?
We announced the same few months ago [1] and there was just one
release (Struts 2.3.35) that missed the thing [2]. And we won't be
releasing a new version just because some of dependencies was
discovered to be vulnerable. And yes, we missed that the Struts 2.3.35
and Struts 2.3.36 are using vulnerable library.
There is a known vulnerability that affects 1.3.2 and prior versions
of commons-fileupload [3]. It's a RCE attack not a DoS.
[1] https://struts.apache.org/announce.html#a20180323
[2] https://struts.apache.org/releases.html
[3] https://nvd.nist.gov/vuln/detail/CVE-2016-1000031
Regards
--
=C5=81ukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic