SUSE Security Update: Security update for struts ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0902-1 Rating: important References: #875455 Cross-References: CVE-2014-0114 Affected Products: SUSE Manager Server SUSE Manager 1.7 for SLE 11 SP2 SUSE Linux Enterprise Software Development Kit 11 SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: Apache Struts was updated to fix a security issue: * CVE-2014-0114: The ActionForm object in Apache Struts 1.x through 1.3.10 allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, which is passed to the getClass method. Security Issue reference: * CVE-2014-0114 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114> Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager Server: zypper in -t patch sleman21-struts-9423 - SUSE Manager 1.7 for SLE 11 SP2: zypper in -t patch sleman17sp2-struts-9422 - SUSE Linux Enterprise Software Development Kit 11 SP3: zypper in -t patch sdksp3-struts-9423 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager Server (noarch): struts-1.2.9-162.33.1 - SUSE Manager 1.7 for SLE 11 SP2 (noarch): struts-1.2.9-162.33.1 - SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch): struts-1.2.9-162.33.1 struts-javadoc-1.2.9-162.33.1 struts-manual-1.2.9-162.33.1 References: http://support.novell.com/security/cve/CVE-2014-0114.html https://bugzilla.novell.com/875455 http://download.suse.com/patch/finder/?keywords=11dc6b57770cce35af080f561b5a... http://download.suse.com/patch/finder/?keywords=fae66e428a1fc1171cb8d6304d55... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org