lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Apr 2014 17:37:13 +0200
From: Rene Gielen <rgielen@...che.org>
To: fulldisclosure@...lists.org
Subject: [FD] [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation
 (security | critical)

In Struts 2.3.16.1, an issue with ClassLoader manipulation via request
parameters was supposed to be resolved. Unfortunately, the correction
wasn't sufficient.

A security fix release fully addressing this issue is in preparation and
will be released as soon as possible.

Once the release is available, all Struts 2 users are strongly
recommended to update their installations.

* Until the release is available, all Struts 2 users are strongly
recommended to apply the mitigation described in [1] *

Please follow the Apache Struts announcement channels [2][3][4][5] to
stay updated regarding the upcoming security release. Most likely the
release will be available within the next 72 hours. Please prepare for
upgrading all Struts 2 based production systems to the new release
version once available.

- The Apache Struts Team.

[1] http://struts.apache.org/announce.html#a20140424
[2] http://struts.apache.org/mail.html
[3] http://struts.apache.org/announce.html
[4] https://plus.google.com/+ApacheStruts/posts
[5] https://twitter.com/TheApacheStruts

-- 
René Gielen
http://twitter.com/rgielen

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists