You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Rene Gielen <rg...@apache.org> on 2014/04/24 17:28:08 UTC
[ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security
| critical)
In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
parameters was supposed to be resolved. Unfortunately, the correction
wasn't sufficient.
A security fix release fully addressing this issue is in preparation and
will be released as soon as possible.
Once the release is available, all Struts 2 users are strongly
recommended to update their installations.
* Until the release is available, all Struts 2 users are strongly
recommended to apply the mitigation described [1] *
Please follow the Apache Struts announcement channels [2][3][4][5] to
stay updated regarding the upcoming security release. Most likely the
release will be available within the next 72 hours. Please prepare for
upgrading all Struts 2 based production systems to the new release
version once available.
- The Apache Struts Team.
[1] http://struts.apache.org/announce.html#a20140424
[2] http://struts.apache.org/mail.html
[3] http://struts.apache.org/announce.html
[4] https://plus.google.com/+ApacheStruts/posts
[5] https://twitter.com/TheApacheStruts
--
René Gielen
http://twitter.com/rgielen
Fwd: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation
(security | critical)
Posted by Konstantin Kolinko <kn...@gmail.com>.
Forwarding from announce@a.o mailing list.
---------- Forwarded message ----------
From: Rene Gielen <rg...@apache.org>
Date: 2014-04-24 19:28 GMT+04:00
Subject: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation
(security | critical)
To: announce@apache.org
In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
parameters was supposed to be resolved. Unfortunately, the correction
wasn't sufficient.
A security fix release fully addressing this issue is in preparation and
will be released as soon as possible.
Once the release is available, all Struts 2 users are strongly
recommended to update their installations.
* Until the release is available, all Struts 2 users are strongly
recommended to apply the mitigation described [1] *
Please follow the Apache Struts announcement channels [2][3][4][5] to
stay updated regarding the upcoming security release. Most likely the
release will be available within the next 72 hours. Please prepare for
upgrading all Struts 2 based production systems to the new release
version once available.
- The Apache Struts Team.
[1] http://struts.apache.org/announce.html#a20140424
[2] http://struts.apache.org/mail.html
[3] http://struts.apache.org/announce.html
[4] https://plus.google.com/+ApacheStruts/posts
[5] https://twitter.com/TheApacheStruts
--
René Gielen
http://twitter.com/rgielen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org