SUSE Security Update: Security update for struts
______________________________________________________________________________
Announcement ID: SUSE-SU-2014:0902-1
Rating: important
References: #875455
Cross-References: CVE-2014-0114
Affected Products:
SUSE Manager Server
SUSE Manager 1.7 for SLE 11 SP2
SUSE Linux Enterprise Software Development Kit 11 SP3
______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
Apache Struts was updated to fix a security issue:
* CVE-2014-0114: The ActionForm object in Apache Struts 1.x through
1.3.10 allows remote attackers to “manipulate” the ClassLoader and
execute arbitrary code via the class parameter, which is passed to
the getClass method.
Security Issue reference:
* CVE-2014-0114
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114>
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
– SUSE Manager Server:
zypper in -t patch sleman21-struts-9423
– SUSE Manager 1.7 for SLE 11 SP2:
zypper in -t patch sleman17sp2-struts-9422
– SUSE Linux Enterprise Software Development Kit 11 SP3:
zypper in -t patch sdksp3-struts-9423
To bring your system up-to-date, use “zypper patch”.
Package List:
– SUSE Manager Server (noarch):
struts-1.2.9-162.33.1
– SUSE Manager 1.7 for SLE 11 SP2 (noarch):
struts-1.2.9-162.33.1
– SUSE Linux Enterprise Software Development Kit 11 SP3 (noarch):
struts-1.2.9-162.33.1
struts-javadoc-1.2.9-162.33.1
struts-manual-1.2.9-162.33.1
References:
http://support.novell.com/security/cve/CVE-2014-0114.html
https://bugzilla.novell.com/875455
http://download.suse.com/patch/finder/?keywords=11dc6b57770cce35af080f561b5ae3f7
http://download.suse.com/patch/finder/?keywords=fae66e428a1fc1171cb8d6304d55ab38
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org