Are S2-018 and S2-019 as serious as these issues that prompted 2.3.15.1? Should I rush to upgrade clients in the field to 2.3.15.2 as soon as it's available?
As a reminder, these issues were fixed in 2.3.15.1, and one was marked highly critical: - CVE 2013-2251 - S2-016<http://struts.apache.org/release/2.3.x/docs/s2-016.html> - In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. - CVE 2013-2248 - S2-017<http://struts.apache.org/release/2.3.x/docs/s2-017.html> - In Struts 2 before 2.3.15.1 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location. Unsure about appropriate panic level, -rgm