From ${URL} : Description A vulnerability has been reported in Apache Struts, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to the application not properly restricting access to the "class" parameter which is directly mapped to the "getClass()" method via the CookieInterceptor. This can be exploited to manipulate the ClassLoader used by the application server and subsequently e.g. change the state of a session or request. This vulnerability is caused due to an improper fix of CVE-2014-0113. For more information see vulnerability #2 in: SA58016 The vulnerability is reported in versions prior to 2.3.16.3. Solution: Update to version 2.3.16.3. Provided and/or discovered by: Originally reported by several reporters within version 2.3.16.1. The vendor additionally credits Zubair Ashraf, IBM X-Force for information about an incomplete fix. Original Advisory: Apache Struts: http://struts.apache.org/release/2.3.x/docs/s2-022.html @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2014-0116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0116): CookieInterceptor in Apache Struts 2.x before 2.3.16.3, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
CVE-2014-7809 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7809): Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
This package has been removed, along with all the struts related ebuilds. See bug 540888.
The package is gone