Just browsing the results of a search to "xss severity" on Google, at a
first glance most people seem to rate XSS exploits as "high", which would
map to "Important" in MS speech.
Am Di, 4.03.2008, 10:39, schrieb Don Brown:
> Well, this was the first hit on google:
> http://www.microsoft.com/techne
ECTED]>
> To: "Struts Developers List"
> Sent: Tuesday, March 04, 2008 8:04 AM
> Subject: Re: [VOTE] Struts 2.0.11.1 Quality (fast track) - PROPOSED
> ANNOUNCEMENT
>
>
>> What about:
>>
>> * All developers are strongly advised to update Struts 2 applic
Well, this was the first hit on google:
http://www.microsoft.com/technet/security/bulletin/rating.mspx
Therefore, I'd say Moderate to Important.
Don
On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote:
> Yes, sounds good to me. How about the criticality rating in the
> bulletin? "Critical" was - I
esday, March 04, 2008 8:04 AM
Subject: Re: [VOTE] Struts 2.0.11.1 Quality (fast track) - PROPOSED
ANNOUNCEMENT
What about:
* All developers are strongly advised to update Struts 2 applications
to Struts 2.0.11.1 to prevent XSS attacks through Struts 2 tags.
In this way, we aren't quit
Yes, sounds good to me. How about the criticality rating in the
bulletin? "Critical" was - I have to admit :) - just copied from 001,
what would be a fitting rating here?
Don Brown schrieb:
> What about:
>
> * All developers are strongly advised to update Struts 2 applications
> to Struts 2.0.11.
What about:
* All developers are strongly advised to update Struts 2 applications
to Struts 2.0.11.1 to prevent XSS attacks through Struts 2 tags.
In this way, we aren't quite so "in-your-face" and a quick summary of
the issue and what part of Struts 2 is affected is included. The
qualifier is p
Agreed. How should we put it better?
Don Brown schrieb:
> Good point. This pales in comparison to, say, the OGNL remote code
> exploit. XSS exploits, while important, just aren't anywhere near as
> big of deal.
>
> Don
>
> On Tue, Mar 4, 2008 at 12:43 PM, Jeromy Evans
> <[EMAIL PROTECTED]> wro
Good point. This pales in comparison to, say, the OGNL remote code
exploit. XSS exploits, while important, just aren't anywhere near as
big of deal.
Don
On Tue, Mar 4, 2008 at 12:43 PM, Jeromy Evans
<[EMAIL PROTECTED]> wrote:
> My opinion is that the criticality is overstated.
> However it is
My opinion is that the criticality is overstated.
However it is useful to draw attention to the vulnerability.
Don Brown wrote:
Looks good. Thanks for creating a security bulletin as well.
Don
On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote:
The release has been submitted for mirroring.
Good point.
How about
ALL DEVELOPERS USING STRUTS 2 ARE STRONGLY ADVISED TO UPDATE TO STRUTS
2.0.11.1 IMMEDIATELY!
Wendy Smoak schrieb:
> On Mon, Mar 3, 2008 at 6:24 PM, Rene Gielen <[EMAIL PROTECTED]> wrote:
>> The release has been submitted for mirroring. Here's a draft
>> announcement that we
Wendy Smoak wrote:
* ALL DEVELOPERS ARE STRONGLY ADVISED TO UPDATE TO STRUTS 2.0.11.1
IMMEDIATELY!
All developers using Struts 2 are ... ?
I think we need to make it clear that Struts 1 apps are not affected.
That's true, but since there may be people that see this notice and then
update
On Mon, Mar 3, 2008 at 6:24 PM, Rene Gielen <[EMAIL PROTECTED]> wrote:
> The release has been submitted for mirroring. Here's a draft
> announcement that we could post tomorrow morning, including a link to a
> corresponding security bulletin announcement in the wiki. Comments and
> corrections t
Looks good. Thanks for creating a security bulletin as well.
Don
On 3/4/08, Rene Gielen <[EMAIL PROTECTED]> wrote:
> The release has been submitted for mirroring. Here's a draft
> announcement that we could post tomorrow morning, including a link to a
> corresponding security bulletin announce
The release has been submitted for mirroring. Here's a draft
announcement that we could post tomorrow morning, including a link to a
corresponding security bulletin announcement in the wiki. Comments and
corrections to both texts are highly appreciated.
Apache Struts 2.0.11.1 is now availabl
14 matches
Mail list logo
