All versions are impacted AFAIK if you run tomcat 8. The whole thing is
about using bindable path to the class loader in order to exec arbitrary
code on the server.
I could not reproduce on jetty using the same path, and I didn't have time
to check tomcat 6 and 7 yesterday, which I'll do today.
But in any case, this fix is required ASAP, as you can't know all possible
bindings on ClassLoader, especially those of the various containers...
Cheers
Remi
2014-04-27 22:00 GMT+02:00 Timothy Stone <[email protected]>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Remi,
>
> Do we know how far back this goes? We run 1.5.3 and 1.5.7.
>
> Tim
>
> On 4/26/14, 5:20 AM, VANKEISBELCK Remi wrote:
> > Hi folks,
> >
> > I haven't seen any communication about this fix :
> >
> https://github.com/StripesFramework/stripes/commit/b4c043ce50f3f032abc47878cf70019db0675c7a
> >
> > It seems to be a quite ugly security issue actually, same as :
> > http://struts.apache.org/announce.html ClassLoader manipulation ?
> > Holy sh*t ! Running arbitrary code now ? wtf ?
> >
> > Do we plan to release a hot fix for 1.5.7 ? Or release 1.5.8 ?
> >
> > I guess we might also wanna drop an email on the users list. This
> > is something all stripes should be aware of. Good opportunity to
> > recall about @Validate and @StrictBinding, for those who don't use
> > it...
> >
> > Cheers
> >
> > RĂ©mi
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> Start Your Social Network Today - Download eXo Platform
> > Build your Enterprise Intranet with eXo Platform Software Java
> > Based Open Source Intranet - Social, Extensible, Cloud Ready Get
> > Started Now And Turn Your Intranet Into A Collaboration Platform
> > http://p.sf.net/sfu/ExoPlatform
> >
> >
> >
> > _______________________________________________ Stripes-development
> > mailing list [email protected]
> > https://lists.sourceforge.net/lists/listinfo/stripes-development
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: Seeking grim and perilous adventure!
> Comment: Get my public key at http://bit.ly/9UQHQv
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCgAGBQJTXWHgAAoJEHJJ3jMipSyC1CkP/2CMXtbp4bdl5feZUYdOuCvP
> eqOSfZOfh1YFe8d7BLuXMgbr7WgCDkUHDjtQN0u2LmECfsaTsgTZoqLEUgxtsh+T
> AGn/Sl3EhgCDLPcKCDJv2P4/PC/KwkCaf1deDtGRPUl5J4rKbgnM/QkcAq9cnlnc
> kB/axsVcled4+DTRbdczOFYQMrEhE5TpDVlBAbCD869NMU5eAdJQK8v2rmK4sHwp
> mbCJkp+FJqdbbgHAb3XNo+1XEtHcuPnDLPM8FjS9+v0H/VjuqokZ6tqjbY7vMYaB
> h45TcRqdiWiKYumfj6DcI0U4WABRDyWiExNde8qFEcrSOpJceQCJCN+XB+n60e+E
> q6YeGBsNrlJv1meYZDTb8IcCNclBRCv8e3DqWUaKfDxA55KPJPXYwi7MK0b+o5Rp
> w0X5E4X2OvTSIqfDFp71CZfweFT0nixYK4tqWFf2ovj8LRJOGjMZYt9EohvRXZMT
> 2Sm9lPOPSiAT5W/Vo17uQ5a1ZucaRibc46479rRlSRHnUNhb3t4+bZhIfYfLDElp
> Ubw53OdNsR6THw6MUyKrTATtd7LS2MFWEkLIKQeMuFKyq/PdMvEnw+sfGvsFTLDe
> p8bnrwPmsLOCJ5wZ2L3ebMQCj1vmfXbtpWAINe0HUEeaIsO5XBRVQJT+xLuQVN+R
> YWZGFF1ahTvSxIG94iJr
> =pIIa
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Start Your Social Network Today - Download eXo Platform
> Build your Enterprise Intranet with eXo Platform Software
> Java Based Open Source Intranet - Social, Extensible, Cloud Ready
> Get Started Now And Turn Your Intranet Into A Collaboration Platform
> http://p.sf.net/sfu/ExoPlatform
> _______________________________________________
> Stripes-development mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/stripes-development
>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos. Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
