Re: [ANN] Apache Struts 2.5.13 GA with Security Fixes Release

2017-09-05 Thread Lukasz Lenart
2017-09-05 17:06 GMT+02:00 Emi : > Hello, >> >> 2017-09-05 15:17 GMT+02:00 Lukasz Lenart : >>> >>> - S2-052 Possible Remote Code Execution attack when using the Struts REST >>> plugin with XStream handler to handle XML payloads >>> http://struts.apache.org/docs/s2-050.html >> >> It's supposed

Re: Struts 2.3 fix for s2-052?

2017-09-05 Thread Lukasz Lenart
2017-09-06 6:22 GMT+02:00 William Stranathan : > Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3 > patch available yet. I've tried with the latest snapshots, and those are > also vulnerable. > > Is there a fix for this vulnerability on the 2.3 stream forthcoming? I have ca

Struts 2.3 fix for s2-052?

2017-09-05 Thread William Stranathan
Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3 patch available yet. I've tried with the latest snapshots, and those are also vulnerable. Is there a fix for this vulnerability on the 2.3 stream forthcoming?

Re: [ANN] Apache Struts 2.5.13 GA with Security Fixes Release

2017-09-05 Thread Emi
Hello, 2017-09-05 15:17 GMT+02:00 Lukasz Lenart : - S2-052 Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads http://struts.apache.org/docs/s2-050.html It's supposed to be http://struts.apache.org/docs/s2-052.html Just wan

Re: Clicking helloworld link got java.lang.NoSuchMethodError: org.apache.commons.lang3.reflect.MethodUtils.getAnnotation

2017-09-05 Thread Yasser Zamani
But it's impossible! Your my_tomcat.log must have at least one load occurrence for MethodUtils class. Maybe the app has been failed to start at all, elsewhere I think you get NoClassDefFoundError (not NoSuchMethodError). On 9/5/2017 3:51 PM, albert kao wrote: > I tried > export > CLASSPATH=$JAV

Re: [ANN] Apache Struts 2.5.13 GA with Security Fixes Release

2017-09-05 Thread Lukasz Lenart
2017-09-05 15:17 GMT+02:00 Lukasz Lenart : > - S2-052 Possible Remote Code Execution attack when using the Struts REST > plugin with XStream handler to handle XML payloads > http://struts.apache.org/docs/s2-050.html It's supposed to be http://struts.apache.org/docs/s2-052.html Regards -- Ł

[ANN] Apache Struts 2.5.13 GA with Security Fixes Release

2017-09-05 Thread Lukasz Lenart
The Apache Struts group is pleased to announce that Struts 2.5.13 is available as a “General Availability” release. The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to

Re: Clicking helloworld link got java.lang.NoSuchMethodError: org.apache.commons.lang3.reflect.MethodUtils.getAnnotation

2017-09-05 Thread albert kao
I tried export CLASSPATH=$JAVA_HOME/lib:$HOME/Struts2/struts-2.5.12/lib:$CATALINA_HOME/lib:$CLASSPATH:. but the helloworld link in index.jsp still did not see the /home/alkao/Struts2/struts-2.5.12/lib/commons-lang3-3.6.jar. my_tomcat.log did not have this line any more [Loaded org.apache.commons