[Spacewalk-list] Spacewalk Possible Remote Code Exploit Heads Up
Eric
ericb at enrsystems.com
Wed Mar 8 21:05:48 UTC 2017
I certainly hope you are right. Though I believe the version you listed is the RedHat package, not the one in the jpackage repo that the install documents indicate. That is struts-1.3.8-2.jpp5.noarch. That version already pops in 3 different scanner products for other vulnerabilities.
Happy Connecting. Sent from my Sprint Samsung Galaxy S® 5 Sport
-------- Original message --------
From: Avi Miller <avi.miller at oracle.com>
Date: 3/8/17 12:35 PM (GMT-07:00)
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Spacewalk Possible Remote Code Exploit Heads Up
Hi,
The CVE is applicable to struts2, while the version from JPackage is struts-1.3.10-12.el7.noarch. I’m assuming (hoping) that it’s actually too old to be vulnerable.
Cheers,
Avi
> On 9 Mar 2017, at 5:49 am, Eric <ericb at enrsystems.com> wrote:
>
> CVE-2017-5638
>
> Struts. Our struts package is from the Generic Jpackage repository. The
> struts rpm there has not been maintained for years. The current build
> directions point at that repository, so I believe that makes ALL current
> versions of Spacewalk, including 2.6, vulnerable.
>
> Thoughts? I believe it's applicable, but I may be mistaken, please correct me
> if I'm wrong!!!
>
> If it is vulnerable, is there an alternative package that is known to work
> with Spacewalk? I am facing the very real possibility of being required to
> take my Spacewalk server offline today, a huge impact to my environment.
>
> Thanks!
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
--
Oracle <http://www.oracle.com>
Avi Miller | Product Management Director | +61 (3) 8616 3496
Oracle Linux and Virtualization
417 St Kilda Road, Melbourne, Victoria 3004 Australia
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20170308/7ce6d04a/attachment.htm>
More information about the Spacewalk-list
mailing list