From ${URL} : Description Two vulnerabilities have been reported in Apache Struts, which can be exploited by malicious people to bypass certain security restrictions. 1) The application allows access to the "class" parameter which is directly mapped to the "getClass()" method via the ParametersInterceptor. This vulnerability is caused due to an incomplete fix of CVE-2014-0094. For more information see vulnerability #1 in: SA56440 2) The application allows access to the "class" parameter which is directly mapped to the "getClass()" method via the CookieInterceptor. This can be exploited to manipulate the ClassLoader used by the application server. Successful exploitation of this vulnerability requires that the application is configured to accept all cookies. The vulnerabilities are reported in versions prior to 2.3.16.2. Solution: Update to version 2.3.16.2. Provided and/or discovered by: JPCERT/CC. The vendor additionally credits Takeshi Terada and Takayoshi Isayama, Mitsui Bussan Secure Directions, Inc., Yoshiyuki Karezaki, BAKA/ty, Shine, NSFOCUS Security Team, heige. Original Advisory: Apache Struts S2-021: http://struts.apache.org/development/2.x/docs/s2-021.html JVN (English): http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045 http://jvn.jp/en/jp/JVN19294237/index.html @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2014-0113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0113): CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. CVE-2014-0112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0112): ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
This package has been removed, along with all the struts related ebuilds. See bug 540888.
The package is gone.