A vulnerability in Apache Struts 1 ActionForm allowing unintended remote operations against components on server memory, such as Servlets and ClassLoader, was found (CVE-2016-1181). Affects Apache Struts versions 1.0 through 1.3.10 External References: https://jvn.jp/en/jp/JVN03188560/ --------------------------------------- It was reported that The Apache Struts 1 Validator contains a vulnerability where input validation configurations (validation rules, error messages, etc.) may be modified. This occurs when ValidatorForm and ValidatorActionForm (including its subclasses) are in the session scope (CVE-2016-1182). Affects Apache Struts 1 versions 1.0 through 1.3.10. External References: https://jvn.jp/en/jp/JVN65044642/ --------------------------------------- Patch: https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8 So Cauldron and mga5 are both affected.
Assignee: bugsquad => geiger.david68210
Version: 5 => CauldronWhiteboard: (none) => MGA5TOO
Ahh, sorry, you already fixed it in Cauldron. Thanks for this. Fixed mga5 packages: struts-1.3.10-8.2.mga5 struts-javadoc-1.3.10-8.2.mga5 from struts-1.3.10-8.2.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Advisory: ======================== Updated struts packages fix security vulnerabilities: A vulnerability in Apache Struts 1 ActionForm allowing unintended remote operations against components on server memory, such as Servlets and ClassLoader, was found (CVE-2016-1181). It was reported that The Apache Struts 1 Validator contains a vulnerability where input validation configurations (validation rules, error messages, etc.) may be modified. This occurs when ValidatorForm and ValidatorActionForm (including its subclasses) are in the session scope (CVE-2016-1182). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182 https://jvn.jp/en/jp/JVN65044642/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UQI2PYM3R4FWEOVHIFT7KUPTILG2DFMZ/ ======================== Updated packages in core/updates_testing: ======================== struts-1.3.10-8.2.mga5 struts-javadoc-1.3.10-8.2.mga5 from struts-1.3.10-8.2.mga5.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/693179/Assignee: geiger.david68210 => qa-bugsSeverity: normal => critical
*** Bug 18872 has been marked as a duplicate of this bug. ***
CC: (none) => luigiwalser
Testing complete mga5 64 Java modules. Just ensuring they update cleanly, which they do. Validating.
Keywords: (none) => validated_updateWhiteboard: (none) => has_procedure mga5-64-okCC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga5-64-ok => has_procedure advisory mga5-64-ok
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0244.html
Status: NEW => RESOLVEDResolution: (none) => FIXED