Quick question on the patch for CVE-2018-11776

["Kiran Ananthpur Bacche (kbacche)" <kb...@cisco.com.INVALID>]

Hi Team,

Version 2.3.35 is the official patch for this vulnerability. However v2.3.35 has a bunch of other fixes too.

So if we want the patch for only "CVE-2018-11776", what are the options available?

Is the fix for "CVE-2018-11776" contained completely in DefaultActionMapper.java?

Given that there was a backward compatibility issue seen with upgrade from 2.3.34 to 2.3.35 (ref: https://www.mail-archive.com/users@maven.apache.org/msg140838.html), we are checking to see if there is a way to have a patch that fixes only "CVE-2018-11776".

Thanks
    Kiran

RE: Quick question on the patch for CVE-2018-11776

[Yasser Zamani <ya...@apache.org>]

>From: Kiran Ananthpur Bacche (kbacche) <kb...@cisco.com.INVALID>
>Sent: Friday, August 31, 2018 7:27 AM
>To: user@struts.apache.org
>Subject: Quick question on the patch for CVE-2018-11776
>
>Hi Team,
>
>Version 2.3.35 is the official patch for this vulnerability. However v2.3.35 has a
>bunch of other fixes too.
>
>So if we want the patch for only "CVE-2018-11776", what are the options
>available?
>
>Is the fix for "CVE-2018-11776" contained completely in
>DefaultActionMapper.java?
>
>Given that there was a backward compatibility issue seen with upgrade from
>2.3.34 to 2.3.35 (ref: https://www.mail-
>archive.com/users@maven.apache.org/msg140838.html), we are checking to
>see if there is a way to have a patch that fixes only "CVE-2018-11776".


Hi, 
We are so sorry for inconvenience :( 
We have fixed it and a new small release will be available soon. 
Regards.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org