Odd - when I tested the snapshots, they were still vulnerable. I'm not able to get it to build from source (now some odd javac access exception).
Where do I get the bits for testing 2.3.34, if not the snapshots? On Wed, Sep 6, 2017 at 1:36 AM Lukasz Lenart <lukaszlen...@apache.org> wrote: > 2017-09-06 6:22 GMT+02:00 William Stranathan <w...@thestranathans.com>: > > Struts 2.3 is also vulnerable to the s2-052 RCE. However, there's no 2.3 > > patch available yet. I've tried with the latest snapshots, and those are > > also vulnerable. > > > > Is there a fix for this vulnerability on the 2.3 stream forthcoming? > > I have called for a vote just now, 2.3.34 contains all the backports > from 2.5.13 related to the security vulnerabilities. Please test and > report back. > > > Regards > -- > Ćukasz > + 48 606 323 122 <+48%20606%20323%20122> http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
