>From: Kiran Ananthpur Bacche (kbacche) <kbac...@cisco.com.INVALID> >Sent: Friday, August 31, 2018 7:27 AM >To: user@struts.apache.org >Subject: Quick question on the patch for CVE-2018-11776 > >Hi Team, > >Version 2.3.35 is the official patch for this vulnerability. However v2.3.35 >has a >bunch of other fixes too. > >So if we want the patch for only "CVE-2018-11776", what are the options >available? > >Is the fix for "CVE-2018-11776" contained completely in >DefaultActionMapper.java? > >Given that there was a backward compatibility issue seen with upgrade from >2.3.34 to 2.3.35 (ref: https://www.mail- >archive.com/us...@maven.apache.org/msg140838.html), we are checking to >see if there is a way to have a patch that fixes only "CVE-2018-11776".
Hi, We are so sorry for inconvenience :( We have fixed it and a new small release will be available soon. Regards. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org