On Thu, Dec 19, 2024 at 11:00:01AM +0100, Jarek Potiuk wrote: > While this might be a popular feature, It's pretty well handled by the > Struts team IMHO and I hardly can think what else we can do about it. > https://www.theregister.com/2024/12/12/apache_struts_2_vuln/ via https://risky.biz/RB775/ is not as happy about the fix.
Upgrading this mechanism isn't as easy as applying a simple update. Users will have to rewrite their actions to ensure compatibility with Action File Upload but the alternative isn't acceptable. As Apache notes: "Using the old File Upload mechanism keeps you vulnerable to this attack." vh Mads Toftum -- http://flickr.com/photos/q42/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
