Bug 4035 - Update struts packages to fix this security vulnerability
: Update struts packages to fix this security vulnerability
Status: RESOLVED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Contributed Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: Private ROSA Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-18 23:33 MSD by Zombie Ryushu
Modified: 2015-05-28 00:40 MSD (History)
1 user (show)

See Also:
RPM Package: struts
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2014-05-18 23:33:37 MSD
It was found that the Struts 1 ActionForm object allowed access to the
'class' parameter, which is directly mapped to the getClass() method. A
remote attacker could use this flaw to manipulate the ClassLoader
used by an application server running Struts 1. This could lead to
remote code execution under certain conditions (CVE-2014-0114).
Comment 1 Stanislav Fomin 2015-03-06 19:34:10 MSK
Need restesting before releasing Enterprise X2.
Comment 2 Denis Silakov 2015-05-22 16:00:19 MSD
Struts was not really used in Marathon, was moved to contrib repositort in Fresh and was removed from RED X2. But the version in our repositories is still subjected to this vulnerability.

So let's recategorize this bug.
Comment 3 Denis Silakov 2015-05-28 00:40:19 MSD
A fix for CVE-2014-0114 has been backported to our struts.