Bug 18763

Summary: struts new security issue CVE-2016-1181 and CVE-2016-1182
Product: Mageia Reporter: David GEIGER <geiger.david68210>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: luigiwalser, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/693179/
Whiteboard: has_procedure advisory mga5-64-ok
Source RPM: struts-1.3.10-8.1.mga5.src.rpm CVE:
Status comment:

Description David GEIGER 2016-06-22 19:30:06 CEST 
A vulnerability in Apache Struts 1 ActionForm allowing unintended remote operations against components on server memory, such as Servlets and ClassLoader, was found (CVE-2016-1181).

Affects Apache Struts versions 1.0 through 1.3.10

External References:

https://jvn.jp/en/jp/JVN03188560/

---------------------------------------

It was reported that The Apache Struts 1 Validator contains a vulnerability where input validation configurations (validation rules, error messages, etc.) may be modified. This occurs when ValidatorForm and ValidatorActionForm (including its subclasses) are in the session scope (CVE-2016-1182).

Affects Apache Struts 1 versions 1.0 through 1.3.10.

External References:

https://jvn.jp/en/jp/JVN65044642/

---------------------------------------

Patch:

https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8


So Cauldron and mga5 are both affected.
David GEIGER 2016-06-22 19:39:56 CEST

Assignee: bugsquad => geiger.david68210

David Walser 2016-06-22 19:45:16 CEST

Version: 5 => Cauldron
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-06-22 19:47:13 CEST 
Ahh, sorry, you already fixed it in Cauldron.  Thanks for this.

Fixed mga5 packages:
struts-1.3.10-8.2.mga5
struts-javadoc-1.3.10-8.2.mga5

from struts-1.3.10-8.2.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 David Walser 2016-07-05 21:19:42 CEST 
Advisory:
========================

Updated struts packages fix security vulnerabilities:

A vulnerability in Apache Struts 1 ActionForm allowing unintended remote
operations against components on server memory, such as Servlets and
ClassLoader, was found (CVE-2016-1181).

It was reported that The Apache Struts 1 Validator contains a vulnerability
where input validation configurations (validation rules, error messages, etc.)
may be modified. This occurs when ValidatorForm and ValidatorActionForm
(including its subclasses) are in the session scope (CVE-2016-1182).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182
https://jvn.jp/en/jp/JVN65044642/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQI2PYM3R4FWEOVHIFT7KUPTILG2DFMZ/
========================

Updated packages in core/updates_testing:
========================
struts-1.3.10-8.2.mga5
struts-javadoc-1.3.10-8.2.mga5

from struts-1.3.10-8.2.mga5.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/693179/
Assignee: geiger.david68210 => qa-bugs
Severity: normal => critical

Comment 3 David Walser 2016-07-05 21:20:03 CEST 
*** Bug 18872 has been marked as a duplicate of this bug. ***

CC: (none) => luigiwalser

Comment 4 claire robinson 2016-07-08 16:58:22 CEST 
Testing complete mga5 64

Java modules. Just ensuring they update cleanly, which they do.

Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => has_procedure mga5-64-ok
CC: (none) => sysadmin-bugs

claire robinson 2016-07-08 17:24:20 CEST

Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok

Comment 5 Mageia Robot 2016-07-08 21:51:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0244.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED