Dear group, I hope that you can help to clear up my confusion about the current status of Struts 2.3.15.2 with regards to the security vulnerability S2-018 (see [1]).
So far, it was my understanding that S2-018 is fixed with the 2.3.15.2 release. And the release notes still suggest that this is the case (see [2]). Also, in [3] the vulnerability is categorized as only affecting Struts versions up to 2.3.15.1. But now I found that S2-018 is listed as vulnerability affecting Struts 2.3.15.2 (see [4]). Also, the description of S2-018 currently states the following: "In Struts 2 before 2.3.15.3, under certain conditions this can be used to bypass security constraints." I am aware that there are backward compatibility issues with the action: prefix not working with Struts 2.3.15.2. However, some of the projects I am administrating (and which are running Struts 2.3.15.2) do not make use of that feature. My question is: do I need to update those systems in order not to be affected by a security vulnerability? Or is S2-018 merely listed as affecting Struts 2.3.15.2 because of the backward compatibility issue, but the security issue is fixed? Many tanks in advance, Markus [1] http://struts.apache.org/development/2.x/docs/s2-018.html [2] http://struts.apache.org/development/2.x/docs/version-notes-23152.html [3] http://www.cvedetails.com/cve/CVE-2013-4310/ [4] http://struts.apache.org/downloads.html --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
