Thanks Eric and Martin for your valuable information, we already have high
security backed network, server and application configuration. Was just
worried about underlying security issues with struts2.
--
Thanks & Regards
Srikanth
Software Developer
eGovernments
all initial points of contact to your site should go thru a login process with
a public key backed by a cert provided by vendor(you)
if the cert was self-signed or the key is forged you should return a 401
if the JSSE Key exchange is successful then yourm session will be assigned a
secure t
2013/10/16 Greg Lindholm :
> Is there any estimated time of release for 2.3.15.3?
Under Vote till today's evening, then pushed to central, then site
update and done :-)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2013/10/16 Markus Fischer :
> Hi Łukasz,
>
>> The latest version is here:
>> http://people.apache.org/builds/struts/2.3.15.3
>
> thanks for the update and the quick turnaround on this.
>
> I can confirm that with Struts-2.3.15.3, my issues with "action:"
> buttons are fixed. I. e., Backward Compati
Is there any estimated time of release for 2.3.15.3?
On Wed, Oct 16, 2013 at 9:23 AM, Markus Fischer wrote:
> Hi Łukasz,
>
> > The latest version is here:
> > http://people.apache.org/builds/struts/2.3.15.3
>
> thanks for the update and the quick turnaround on this.
>
> I can confirm that with S
Hi Łukasz,
> The latest version is here:
> http://people.apache.org/builds/struts/2.3.15.3
thanks for the update and the quick turnaround on this.
I can confirm that with Struts-2.3.15.3, my issues with "action:"
buttons are fixed. I. e., Backward Compatibility for applications using
the "action
Thanks!
El 16/10/2013 07:37 a.m., Lukasz Lenart escribió:
Yes, I have downgraded to 2.3.15.1 and it will be fixed in 2.3.15.3
2013/10/16 Antonio Sánchez :
So, is it still possible to render a cancel button in 2.3.15.2? Or must
downgrade to 2.3.15.1? Will the bug be fixed in 15.3?
El Miércoles
First of all, security on web applications is of a concern but not as
much as one would think.
To find all the security vulnerabilities within any application, or
framework, one would find all the entry points which allow user
provided data. This could be a field, a protocol, etc. and then one
wo
Yes, I have downgraded to 2.3.15.1 and it will be fixed in 2.3.15.3
2013/10/16 Antonio Sánchez :
> So, is it still possible to render a cancel button in 2.3.15.2? Or must
> downgrade to 2.3.15.1? Will the bug be fixed in 15.3?
>
> El Miércoles, 16 de Octubre de 2013 02:35:06 a.m., Lukasz Lenart es
So, is it still possible to render a cancel button in 2.3.15.2? Or must
downgrade to 2.3.15.1? Will the bug be fixed in 15.3?
El Miércoles, 16 de Octubre de 2013 02:35:06 a.m., Lukasz Lenart
escribió:
2013/10/15 Antonio Sánchez :
Set to false.
But having same results set to true.
I'm using
Ok, so the only option is got through each security bulletin and check
provided Proof-of-Concept if it affects your application. And DMI
isn't a problem if used wise.
https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
2013/10/16 Sreekanth S. Nair :
> Thanks Lukazs, the problem i'm
I don't mean it like that, but something like a proof of concept
like http://struts.apache.org/release/2.3.x/docs/s2-016.html
--
Thanks & Regards
Srikanth
Software Developer
eGovernments Foundations
www.egovernments.org
Mob : 9980078913
--
2013/10/16 Sreekanth S. Nair :
> Test Case to test the security vulnerability (major ones) in
> struts2-core-2.1.2.
Everything you can find is in Struts repository, it's Open Source not
a close code software ;-)
And there is no the "test" which magically checks security
vulnerabilities, even secu
Thanks Lukazs, the problem i'm facing now is our product is so huge to do a
migration and running mainly on DMI. I'm unable to convince my top
management about how bad strust2 vulnerability is (since i dont know how to
replicate the vulnerability). So I have no choice other than option 2.
--
Than
I do not think that is possible.
You have 2 options
1. Upgrade you struts2 version.
2. Go through security vulnerability and see what was there and create test
cases to see what exactly is happening and fix them by checking patches.
But IMO, upgrading to latest version is much more flexible and l
Test Case to test the security vulnerability (major ones) in
struts2-core-2.1.2.
--
Thanks & Regards
Srikanth
Software Developer
eGovernments Foundations
www.egovernments.org
Mob : 9980078913
On Wed, Oct 16, 2013 at 4:15 PM, Luka
2013/10/16 Sreekanth S. Nair :
> One more doubt, does this security vulnerability is able to bring down the
> server :-) ? If we authorize ourselves to apache, is it possible for struts
> team to give us test case to check the vulnerability?
What you mean by that? What test case you refer to?
Re
One more doubt, does this security vulnerability is able to bring down the
server :-) ? If we authorize ourselves to apache, is it possible for struts
team to give us test case to check the vulnerability?
--
Thanks & Regards
Srikanth
Software Developer
eGovernment
Hi,
Thanks Lukazs, but that's too much of task to compare rather i can
migrate ;-). Thanks Antonios, i will refer those links.
--
Thanks & Regards
sreekanth
On Wed, Oct 16, 2013 at 3:25 PM, Antonios Gkogkakis wrote:
> Hi Sreekanth,
>
> Lukasz beat me!
>
Hi Sreekanth,
Lukasz beat me!
If you don't want to upgrade you should at least check the security
bulletins
http://struts.apache.org/release/2.2.x/docs/security-bulletins.html
http://struts.apache.org/release/2.3.x/docs/security-bulletins.html
see which vulnerabilities affect you and follow the
Though task ;-)
The only option is to analyse what kind of vulnerabilities were
discovered after and which of them can potentially affect your version
(given vulnerable functionality exists in your version you use right
now).
https://cwiki.apache.org/confluence/display/WW/Migration+Guide
2013/10
Hi,
Due to time and other internal constraints, we are unable to upgrade
strust2 to the latest version. So i would like to know if we use old
strust2 distro (in my case : struts2-core-2.1.2), what are the counter
measurement need to taken care?
Regards
2013/10/15 Antonio Sánchez :
> Set to false.
>
> But having same results set to true.
>
> I'm using action="index" approach. Now, cancel always launches 404.
It was related to bug in 2.3.15.2, now with 2.3.15.1 works fine!
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
--
Hm too old as for me, so I don't know, try Yaragalla Muralidhar's
solution though.
2013/10/16 Srimuralidharan S :
> my struts 2 version is 2.0.11
> On 10/16/2013 12:51 PM, Lukasz Lenart wrote:
>>
>> Struts 2 version?
>>
>> 2013/10/16 Srimuralidharan S:
>>>
>>> Hi to all,
>>> I'm
> Thanks!!
> I am wondering why it is working fine for other case?
> I was expecting that Struts2 will convert it for me ;)
Rather Guice ;-) But maybe with Guice3 there be no problem ;-)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
--
Thanks!!
I am wondering why it is working fine for other case?
I was expecting that Struts2 will convert it for me ;)
Thanks
Umesh
On Wed, Oct 16, 2013 at 12:54 PM, Lukasz Lenart wrote:
> 2013/10/16 Umesh Awasthi :
> > I am trying to inject few values to my bean like
> >
> > @Inject
> > pub
my struts 2 version is 2.0.11
On 10/16/2013 12:51 PM, Lukasz Lenart wrote:
Struts 2 version?
2013/10/16 Srimuralidharan S:
Hi to all,
I'm using struts 2 framework with the following configuration i
received the following warning and my application doesn't works
[Form] No configu
2013/10/16 Umesh Awasthi :
> I am trying to inject few values to my bean like
>
> @Inject
> public
> DefaultJSR303ValidationManager(@Inject(value=ValidatorConstants.PROVIDER_CLASS,required=false)
> String providerClassName,
>
> @Inject(value=ValidatorConstants.IGNORE_XMLCONFIGURAITION,required=
Struts 2 version?
2013/10/16 Srimuralidharan S :
> Hi to all,
> I'm using struts 2 framework with the following configuration i
> received the following warning and my application doesn't works
> [Form] No configuration found for the specified action: '/' in namespace:
> ''. Form act
I am trying to inject few values to my bean like
@Inject
public
DefaultJSR303ValidationManager(@Inject(value=ValidatorConstants.PROVIDER_CLASS,required=false)
String providerClassName,
@Inject(value=ValidatorConstants.IGNORE_XMLCONFIGURAITION,required=false)
boolean ignoreXMLConfiguration
try the following
instead of
You forgot to add namespace to your "package". Hope this solves ur problem.
*Thanks and Regards,*
Muralidhar Yaragalla.
*http://yaragalla.blogspot.in/
*
On Wed, Oct 16, 2013 at 12:30 PM, Srimuralidharan S <
srimuralidhara...@dhyanit.com> wrote:
> Hi to all,
>
Hi to all,
I'm using struts 2 framework with the following
configuration i received the following warning and my application
doesn't works
[Form] No configuration found for the specified action: '/' in
namespace: ''. Form action defaulting to 'action' attribute's literal value.
32 matches
Mail list logo
