SUSE-SU-2015:0886-1

Опубликовано: 20 июн. 2014

Источник: suse-cvrf

Описание

Security update for struts

Apache Struts was updated to fix a security issue:

* CVE-2014-0114: The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to 'manipulate' the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method.

Security Issue reference:

* CVE-2014-0114 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114>

Список пакетов

SUSE Linux Enterprise Software Development Kit 11 SP3

struts-1.2.9-162.33.1

struts-javadoc-1.2.9-162.33.1

struts-manual-1.2.9-162.33.1

SUSE Manager 1.7

struts-1.2.9-162.33.1

SUSE Manager 2.1

struts-1.2.9-162.33.1

Ссылки

https://www.suse.com/support/update/announcement/2015/suse-su-20150886-1/
Link for SUSE-SU-2015:0886-1
https://lists.suse.com/pipermail/sle-security-updates/2015-May/001388.html
E-Mail link for SUSE-SU-2015:0886-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/875455
SUSE Bug 875455
https://bugzilla.suse.com/924887
SUSE Bug 924887
https://www.suse.com/security/cve/CVE-2014-0114/
SUSE CVE CVE-2014-0114 page
https://www.suse.com/security/cve/CVE-2015-0899/
SUSE CVE CVE-2015-0899 page

Описание

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Затронутые продукты

SUSE Linux Enterprise Software Development Kit 11 SP3:struts-1.2.9-162.33.1

SUSE Linux Enterprise Software Development Kit 11 SP3:struts-javadoc-1.2.9-162.33.1

SUSE Linux Enterprise Software Development Kit 11 SP3:struts-manual-1.2.9-162.33.1

SUSE Manager 1.7:struts-1.2.9-162.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2014-0114.html
CVE-2014-0114
https://bugzilla.suse.com/778464
SUSE Bug 778464
https://bugzilla.suse.com/875455
SUSE Bug 875455
https://bugzilla.suse.com/885963
SUSE Bug 885963

Описание

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.

Затронутые продукты

SUSE Linux Enterprise Software Development Kit 11 SP3:struts-1.2.9-162.33.1

SUSE Linux Enterprise Software Development Kit 11 SP3:struts-javadoc-1.2.9-162.33.1

SUSE Linux Enterprise Software Development Kit 11 SP3:struts-manual-1.2.9-162.33.1

SUSE Manager 1.7:struts-1.2.9-162.33.1

Ссылки

https://www.suse.com/security/cve/CVE-2015-0899.html
CVE-2015-0899
https://bugzilla.suse.com/924887
SUSE Bug 924887
https://bugzilla.suse.com/983684
SUSE Bug 983684
https://bugzilla.suse.com/983728
SUSE Bug 983728

SUSE-SU-2015:0886-1

Описание

Список пакетов

SUSE Linux Enterprise Software Development Kit 11 SP3

SUSE Manager 1.7

SUSE Manager 2.1

Ссылки

Уязвимость: CVE-2014-0114

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2015-0899

Описание

Затронутые продукты

Ссылки