Mailinglist Archive: opensuse-security-announce (25 mails)

< Previous Next >
[security-announce] SUSE-SU-2014:0902-1: important: Security update for struts
SUSE Security Update: Security update for struts
______________________________________________________________________________

Announcement ID: SUSE-SU-2014:0902-1
Rating: important
References: #875455
Cross-References: CVE-2014-0114
Affected Products:
SUSE Manager Server
SUSE Manager 1.7 for SLE 11 SP2
SUSE Linux Enterprise Software Development Kit 11 SP3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:


Apache Struts was updated to fix a security issue:

* CVE-2014-0114: The ActionForm object in Apache Struts 1.x through
1.3.10 allows remote attackers to "manipulate" the ClassLoader and
execute arbitrary code via the class parameter, which is passed to
the getClass method.

Security Issue reference:

* CVE-2014-0114
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114>


Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Manager Server:

zypper in -t patch sleman21-struts-9423

- SUSE Manager 1.7 for SLE 11 SP2:

zypper in -t patch sleman17sp2-struts-9422

- SUSE Linux Enterprise Software Development Kit 11 SP3:

zypper in -t patch sdksp3-struts-9423

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE Manager Server (noarch):

struts-1.2.9-162.33.1

- SUSE Manager 1.7 for SLE 11 SP2 (noarch):

struts-1.2.9-162.33.1

- SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch):

struts-1.2.9-162.33.1
struts-javadoc-1.2.9-162.33.1
struts-manual-1.2.9-162.33.1


References:

http://support.novell.com/security/cve/CVE-2014-0114.html
https://bugzilla.novell.com/875455

http://download.suse.com/patch/finder/?keywords=11dc6b57770cce35af080f561b5ae3f7

http://download.suse.com/patch/finder/?keywords=fae66e428a1fc1171cb8d6304d55ab38

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages