Forwarding from announce@a.o mailing list. ---------- Forwarded message ---------- From: Rene Gielen <rgie...@apache.org> Date: 2014-04-24 19:28 GMT+04:00 Subject: [ANN] Struts 2 up to 2.3.16.1: Zero-Day Exploit Mitigation (security | critical) To: annou...@apache.org
In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, the correction wasn't sufficient. A security fix release fully addressing this issue is in preparation and will be released as soon as possible. Once the release is available, all Struts 2 users are strongly recommended to update their installations. * Until the release is available, all Struts 2 users are strongly recommended to apply the mitigation described [1] * Please follow the Apache Struts announcement channels [2][3][4][5] to stay updated regarding the upcoming security release. Most likely the release will be available within the next 72 hours. Please prepare for upgrading all Struts 2 based production systems to the new release version once available. - The Apache Struts Team. [1] http://struts.apache.org/announce.html#a20140424 [2] http://struts.apache.org/mail.html [3] http://struts.apache.org/announce.html [4] https://plus.google.com/+ApacheStruts/posts [5] https://twitter.com/TheApacheStruts -- René Gielen http://twitter.com/rgielen --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org