RedHat has issued an advisory today (May 7): https://rhn.redhat.com/errata/RHSA-2014-0474.html Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated struts packages fix security vulnerability: It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions (CVE-2014-0114). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114 https://rhn.redhat.com/errata/RHSA-2014-0474.html ======================== Updated packages in core/updates_testing: ======================== struts-1.3.10-3.1.mga3 struts-javadoc-1.3.10-3.1.mga3 struts-1.3.10-4.1.mga4 struts-javadoc-1.3.10-4.1.mga4 from SRPMS: struts-1.3.10-3.1.mga3.src.rpm struts-1.3.10-4.1.mga4.src.rpm
Version: Cauldron => 4Assignee: dmorganec => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing complete mga4 64 No idea how to test this one. As with many other java packages, just ensuring packages update cleanly.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure advisory mga4-64-ok
Tested all the rest too. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure advisory mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0219.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED