You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Deborah White <De...@doj.ca.gov> on 2018/11/14 18:33:55 UTC
Question
Hello, we have some very old internal apps that are still using Struts 1. Does this alert apply to Struts 1 or only Struts 2? It says 2.3.36 or prior so I'm not sure.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
Re: Question
Posted by John Bush <jt...@mchsi.com>.
I would think it pertains to Struts 1 applications since the finding is
for any use of Apache Commons FileUpload before 1.3.3. The latest
version of Struts 1 used commons-fileupload-1.0.jar. Not many
applications use the library so you may be able to just remove the jar
from your application. If you don't find that's possible I have had
success dropping in newer versions of commons-fileupload to replace the
older. I haven't attempted it to a Struts 1 application though.
John B
On 11/14/2018 12:41 PM, Eric Reed wrote:
> Struts 2.
>
>
> -----Original Message-----
> From: Deborah White<De...@doj.ca.gov>
> Sent: Wednesday, November 14, 2018 1:34 PM
> To:user@struts.apache.org
> Subject: Question
>
> Hello, we have some very old internal apps that are still using Struts 1. Does this alert apply to Struts 1 or only Struts 2? It says 2.3.36 or prior so I'm not sure.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
>
> CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
>
>
>
>
> Confidentiality Notice
>
> This email including all attachments is confidential and intended solely for the use of the individual or entity to which it is addressed. This communication may contain information that is protected from disclosure under State and/or Federal law. Please notify the sender immediately if you have received this communication in error and delete this email from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:user-unsubscribe@struts.apache.org
> For additional commands, e-mail:user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: Question
Posted by Eric Reed <Er...@nysed.gov>.
Struts 2.
-----Original Message-----
From: Deborah White <De...@doj.ca.gov>
Sent: Wednesday, November 14, 2018 1:34 PM
To: user@struts.apache.org
Subject: Question
Hello, we have some very old internal apps that are still using Struts 1. Does this alert apply to Struts 1 or only Struts 2? It says 2.3.36 or prior so I'm not sure.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
CONFIDENTIALITY NOTICE: This communication with its contents may contain confidential and/or legally privileged information. It is solely for the use of the intended recipient(s). Unauthorized interception, review, use or disclosure is prohibited and may violate applicable laws including the Electronic Communications Privacy Act. If you are not the intended recipient, please contact the sender and destroy all copies of the communication.
Confidentiality Notice
This email including all attachments is confidential and intended solely for the use of the individual or entity to which it is addressed. This communication may contain information that is protected from disclosure under State and/or Federal law. Please notify the sender immediately if you have received this communication in error and delete this email from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Question
Posted by Lukasz Lenart <lu...@apache.org>.
śr., 14 lis 2018 o 19:34 Deborah White <De...@doj.ca.gov> napisał(a):
>
> Hello, we have some very old internal apps that are still using Struts 1. Does this alert apply to Struts 1 or only Struts 2? It says 2.3.36 or prior so I'm not sure.
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Struts 1 reached EOL in 2013, we do not publish any announcements that
target that version, neither support it in any case.
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org