CVE-2013-4316 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4316): Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. CVE-2013-4310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4310): Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
+ 02 Oct 2013; Tom Wijsman <TomWij@gentoo.org> + +files/struts-2.3.15.2-build.xml-apps-package.patch, + +files/struts-2.3.15.2-build.xml-classpath.patch, + +files/struts-2.3.15.2-build.xml-manifest.patch, + +files/struts-2.3.15.2-build.xml-remove-apps-portlet.patch, + +files/struts-2.3.15.2-build.xml-remove-core-and-plugins.patch, + +struts-2.3.15.2.ebuild: + Version bump to 2.3.15.2; for bug #152352, bug #237146, bug #405931 and bug + #486752. Looks like we are going to need some KEYWORDREQ and STABLEREQ bugs; since it is late and have worked half a day on is, I'll look into that tomorrow. If you want to file them before that, feel free to go ahead.
This package has been removed, along with all the struts related ebuilds. See bug 540888.
Should we produce removal GLSA? vote: No
(In reply to Mikle Kolyada from comment #3) > Should we produce removal GLSA? > > vote: No GLSA Vote: No
