oss-sec mailing list archives
Re: CVE request: Apache Struts S2-010 and S2-011
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 01 Sep 2012 17:13:50 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/01/2012 11:35 AM, Raphael Geissert wrote:
Hi, Apache Struts 2.3.4.1 fixes the vulnerabilities described in S2-010 (CSRF) and S2-011 (DoS). Could CVE ids be assigned please?
Yes, confirmed struts 2.3.4.1 was released August 11, 2012. ====
[1] http://struts.apache.org/2.x/docs/s2-010.html
When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes Please use CVE-2012-4386 for this issue. ====
[2] http://struts.apache.org/2.x/docs/s2-011.html
Long request parameter names might significantly promote the effectiveness of DOS attacks Please use CVE-2012-4387 for this issue. These don't appear to affect struts 1.2.x/1.3.x. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQQpauAAoJEBYNRVNeJnmTShsQAKIZvJnzfCPE8TZBy3hj265v vwDUwHUynvom4pEvXfORIY3ni2QmwGOD9mzUKr9WI3Qw+AGNsEjB7AeYYczxWbK/ fmuqG5StLrZBMMZju/MseMcbgZcExom+xaas8S9/qU5aTbyx7QvAnnSO/W3xdOzy srEQlW4sSUrPQ3JqXJIYKMOPFoVWXKT4kpq3UF+2zQGunPRbn2FyCKzM7iWhKtKb XPdFYxbjKycnDlv8uKlSDeQiQVnDHfdT1jHnLVY9hao1EpF2lfOLT2OPapa5p7Td uRKgBNsGyIhZPKBRvSQKIs+WKD+SAFrkJ+fy01NnxGNpGUMXA/+vwMjOh+Jktbgr h30rJQNUtBIS83M0oL6zxj9oXKJ/rYFtCSc/XcQb3X7jdZ7vV9kKHVZlQ6yP/qCH mn6E0G9xzzs4FNat0rKlvSa13NQM736g9GH4stZOnzqMken7c24HizLLf3KUcXhE Mo/jiPUOTNufpzgdUdi+somDFKq4BPU9X4Vkiftid6BYDLruCmh+HODlUwRu6LVF UnGIGp1gdZAmTIS+O00TQb9Rne7PWyT+BRHHl454+k6cdIrQmyacYgKLxwBzcHCq jgWaDbTjS0cDsmjWMLFRGE3AIJ4wWod1vPMIQv5Tw6X25fGSRpUZqh0AVK/e8l5H 3wFKAPZVfXNaLS74lNoW =bRtv -----END PGP SIGNATURE-----
Current thread:
- CVE request: Apache Struts S2-010 and S2-011 Raphael Geissert (Sep 01)
- Re: CVE request: Apache Struts S2-010 and S2-011 Kurt Seifried (Sep 01)