Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
89
security advisoryfedoracriticalFedora 22: 2015-14237 Critical: Struts Input Validation Bypass
fix CVE-2015-0899. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2015-14237 2015-09-04 03:17:06.806356 -------------------------------------------------------------------------------- Name : struts Product : Fedora 22 Version : 1.3.10 Release : 14.fc22 URL : https://struts.apache.org/ Summary : Web application framework Description : Welcome to the Struts Framework! The goal of this project is to provide an open source framework useful in building web applications with Java Servlet and JavaServer Pages (JSP) technology. Struts encourages application architectures based on the Model-View-Controller (MVC) design paradigm, colloquially known as Model 2 in discussions on various servlet and JSP related mailing lists. Struts includes the following primary areas of functionality: A controller servlet that dispatches requests to appropriate Action classes provided by the application developer. JSP custom tag libraries, and associated support in the controller servlet, that assists developers in creating interactive form-based applications. Utility classes to support XML parsing, automatic population of JavaBeans properties based on the Java reflection APIs, and internationalization of prompts and messages. -------------------------------------------------------------------------------- Update Information: fix CVE-2015-0899 -------------------------------------------------------------------------------- References: [ 1 ] Bug #1256620 - CVE-2015-0899 struts: Apache Struts 1: input validation bypass in MultiPageValidator [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1256620 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update struts' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list
Sep 04, 2015
•Critical
Fedora
100
security advisoryupdatesoftware patchSUSE: 2014:0902-1 Important: Struts Remote Code Execution
An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.. SUSE Security Update: Security update for struts ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0902-1 Rating: important References: #875455 Cross-References: CVE-2014-0114 Affected Products: SUSE Manager Server SUSE Manager 1.7 for SLE 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Apache Struts was updated to fix a security issue: * CVE-2014-0114: The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method. Security Issue reference: * CVE-2014-0114 Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Server: zypper in -t patch sleman21-struts-9423 - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-struts-9422 - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-struts-9423 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Server (noarch): struts-1.2.9-162.33.1 - SUSE Manager 1.7 for SLE 11 SP2 (noarch): struts-1.2.9-162.33.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch): struts-1.2.9-162.33.1 struts-javadoc-1.2.9-162.33.1 struts-manual-1.2.9-162.33.1 References: https://www.suse.com/security/cve/CVE-2014-0114.html https://login.microfocus.com/nidp/app/login?sid=0 https://scc.suse.com:443/patches/ https://scc.suse.com:443/patches/ . SUSE Security Update for tomcat tackles significant vulnerabilities with essential patches. Verify your exact version immediately.. SUSE Manager Server, struts update, remote execution fix, security patch. . Severity: Important. LinuxSecurity.com Team
Jul 16, 2014
•Important
SuSE
200
security advisoryremote code executionimportantScientific Linux: SLSA-2014:0474-1 Critical Struts Remote Code Execution
Important: struts security update. Date: Tue, 6 May 2014 10:41:52 -0500 Reply-To: Bonnie King Sender: Security Errata for Scientific Linux From: Bonnie King Subject: FASTBUGS for SL 6x i386, x86_64 now available Comments: To:
May 07, 2014
•Critical
Scientific Linux
98
security advisoryremote code executionRed Hat Enterprise LinuxRed Hat Enterprise Linux 5 RHSA-2014:0474-01 Critical Remote Code Execution
Updated struts packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ==================================================================== Red Hat Security Advisory Synopsis: Important: struts security update Advisory ID: RHSA-2014:0474-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2014:0474.html Issue date: 2014-05-07 CVE Names: CVE-2014-0114 ==================================================================== 1. Summary: Updated struts packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. (CVE-2014-0114) All struts users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using struts must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Thisupdate is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: i386: struts-1.2.9-4jpp.8.el5_10.i386.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.i386.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.i386.rpm struts-manual-1.2.9-4jpp.8.el5_10.i386.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.i386.rpm x86_64: struts-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-manual-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5server): Source: i386: struts-1.2.9-4jpp.8.el5_10.i386.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.i386.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.i386.rpm struts-manual-1.2.9-4jpp.8.el5_10.i386.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.i386.rpm ia64: struts-1.2.9-4jpp.8.el5_10.ia64.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.ia64.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.ia64.rpm struts-manual-1.2.9-4jpp.8.el5_10.ia64.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.ia64.rpm ppc: struts-1.2.9-4jpp.8.el5_10.ppc.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.ppc.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.ppc.rpm struts-manual-1.2.9-4jpp.8.el5_10.ppc.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.ppc.rpm s390x: struts-1.2.9-4jpp.8.el5_10.s390x.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.s390x.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.s390x.rpm struts-manual-1.2.9-4jpp.8.el5_10.s390x.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.s390x.rpm x86_64: struts-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-manual-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2014-0114 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTacDGXlSAg2UNWIIRAhvbAJ0Za5jRat54AcgbIdHKlzbZN1y1hACcC8DR HJqJt2S278nXdfwLyGc7EJQ=qMuX -----END PGP SIGNATURE----- -- Enterprise-watch-list mailing list
May 07, 2014
•Important
Red Hat
98
security advisorysecurity updateRed Hat Enterprise LinuxRed Hat: RHSA-2014:0474-01 Critical: struts Remote Execution Risk
Updated struts packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having [More...]. ==================================================================== Red Hat Security Advisory Synopsis: Important: struts security update Advisory ID: RHSA-2014:0474-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2014:0474.html Issue date: 2014-05-07 CVE Names: CVE-2014-0114 ==================================================================== 1. Summary: Updated struts packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Description: Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions. (CVE-2014-0114) All struts users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using struts must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this updateare available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1091938 - CVE-2014-0114 Apache Struts 1: Class Loader manipulation via request parameters 6. Package List: RHEL Desktop Workstation (v. 5 client): Source: i386: struts-1.2.9-4jpp.8.el5_10.i386.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.i386.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.i386.rpm struts-manual-1.2.9-4jpp.8.el5_10.i386.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.i386.rpm x86_64: struts-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-manual-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: i386: struts-1.2.9-4jpp.8.el5_10.i386.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.i386.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.i386.rpm struts-manual-1.2.9-4jpp.8.el5_10.i386.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.i386.rpm ia64: struts-1.2.9-4jpp.8.el5_10.ia64.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.ia64.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.ia64.rpm struts-manual-1.2.9-4jpp.8.el5_10.ia64.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.ia64.rpm ppc: struts-1.2.9-4jpp.8.el5_10.ppc.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.ppc.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.ppc.rpm struts-manual-1.2.9-4jpp.8.el5_10.ppc.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.ppc.rpm s390x: struts-1.2.9-4jpp.8.el5_10.s390x.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.s390x.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.s390x.rpm struts-manual-1.2.9-4jpp.8.el5_10.s390x.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.s390x.rpm x86_64: struts-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-debuginfo-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-javadoc-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-manual-1.2.9-4jpp.8.el5_10.x86_64.rpm struts-webapps-tomcat5-1.2.9-4jpp.8.el5_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signatureare available from https://access.redhat.com/security/team/key/#package 7. References: https://access.redhat.com/security/cve/CVE-2014-0114 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. . Important kernel patch issued for CentOS 5 to combat major vulnerability concerns. Click here for details.. Red Hat Enterprise Linux,struts update,remote execution risk. . Severity: Important. LinuxSecurity.com Team
May 07, 2014
•Important
Red Hat
98
security advisorysecurity updatecross site scriptingRed Hat App Server 3: RHSA-2006:0157-01 Low: Struts XSS Vulnerability
Updated Red Hat Application Server components are now available including a security update for Struts. This update has been rated as having low security impact by the Red Hat Security Response Team. . - ---------------------------------------------------------------------Red Hat Security Advisory Synopsis: Low: struts security update for Red Hat Application Server Advisory ID: RHSA-2006:0157-01 Advisory URL: Issue date: 2006-01-11 Updated on: 2006-01-11 Product: Red Hat Application Server CVE Names: CVE-2005-3745 - ---------------------------------------------------------------------1. Summary: Updated Red Hat Application Server components are now available including a security update for Struts. This update has been rated as having low security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Application Server 3AS - noarch Red Hat Application Server 3ES - noarch Red Hat Application Server 3WS - noarch 3. Problem description: Red Hat Application Server packages provide a J2EE Application Server and Web container as well as the underlying Java stack. A cross-site scripting flaw was found in the way Struts displays error pages. It may be possible for an attacker to construct a specially crafted URL which could fool a victim into believing they are viewing a trusted site. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-3745 to this issue. Please note that this issue does not affect Struts running on Tomcat or JOnAS, which is our supported usage of Struts. All users of Red Hat Application Server should upgrade to these updated packages, which contain Struts version 1.2.8 which is not vulnerable to this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade.Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/): 173929 - CVE-2005-3745 struts cross site scripting flaw 6. RPMs required: Red Hat Application Server 3AS: SRPMS: 46933f732577bc526befdeea7bac8104 jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm 155997f9d1c9e4bc5aa5925fc4c32c09 struts-1.2.8-1jpp_2rh.src.rpm noarch: f98c1b067974f6be016c01b0ab6295a0 jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm 32401dec1ab787c56760145a033a4d7c jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm 19ff36e45ff2aee9fab9e6aa06a8f46b struts-1.2.8-1jpp_2rh.noarch.rpm 80b709089a6c65cc926df4d64695777e struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm 96e87e5eed99be4173961e8a805004c2 struts-manual-1.2.8-1jpp_2rh.noarch.rpm 9f50fcbd73cc59fdb65383bd9f3c28ef struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm Red Hat Application Server 3ES: SRPMS: 46933f732577bc526befdeea7bac8104 jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm 155997f9d1c9e4bc5aa5925fc4c32c09 struts-1.2.8-1jpp_2rh.src.rpm noarch: f98c1b067974f6be016c01b0ab6295a0 jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm 32401dec1ab787c56760145a033a4d7c jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm 19ff36e45ff2aee9fab9e6aa06a8f46b struts-1.2.8-1jpp_2rh.noarch.rpm 80b709089a6c65cc926df4d64695777e struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm 96e87e5eed99be4173961e8a805004c2 struts-manual-1.2.8-1jpp_2rh.noarch.rpm 9f50fcbd73cc59fdb65383bd9f3c28efstruts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm Red Hat Application Server 3WS: SRPMS: 46933f732577bc526befdeea7bac8104 jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm 155997f9d1c9e4bc5aa5925fc4c32c09 struts-1.2.8-1jpp_2rh.src.rpm noarch: f98c1b067974f6be016c01b0ab6295a0 jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm 32401dec1ab787c56760145a033a4d7c jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm 19ff36e45ff2aee9fab9e6aa06a8f46b struts-1.2.8-1jpp_2rh.noarch.rpm 80b709089a6c65cc926df4d64695777e struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm 96e87e5eed99be4173961e8a805004c2 struts-manual-1.2.8-1jpp_2rh.noarch.rpm 9f50fcbd73cc59fdb65383bd9f3c28ef struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.cve.org/CVERecord?id=CVE-2005-3745 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2006 Red Hat, Inc. . Essential updates feature an enhanced authentication protocol for CentOS Web Server, affecting specific hardware configurations.. struts security, Red Hat application server fix, security update for Red Hat. . Severity: Low. LinuxSecurity.com Team
Jan 17, 2006
•Low
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!