Upstream bug report: https://issues.apache.org/jira/browse/WW-4200

actual Struts version in fedora is 1.3.10
the problem is present only in Struts 2.0.0 and Struts 2.3.15.1
regards

please close this bug

Yes, upstream indicates 2.0.0+ but that is only because 1.x is no longer supported (so they never indicate whether it is affected).  Did you see the patch that corrects this issue and verify that it doesn't apply to 1.x?  Or do you have something more concrete than just upstream's "affected versions" value to substantiate this claim?

hi
not applicabile for 1.x series (required by springframework)
the files that should be patched are not available in 1.x
regards

structs2 breaks compatibility also with the following package
velocity-tools (springframework BR/R)
i will not update structs2, until depend on tomcat6 apis, or SpringFramework and Velocity tools do not require more

Statement:

Not Vulnerable. This issue only affects struts 2, it does not affect the versions of struts as shipped with various Red Hat products.

External References:

https://issues.apache.org/jira/browse/WW-4200

Upstream Patch:

http://svn.apache.org/viewvc?view=revision&revision=r1524296

Struts 2.3.15.3 GA was announced yesterday, noting this issue as fixed, so possibly the previous fix was not sufficient:

http://seclists.org/fulldisclosure/2013/Oct/146

(In reply to Vincent Danen from comment #10)
> Struts 2.3.15.3 GA was announced yesterday, noting this issue as fixed, so
> possibly the previous fix was not sufficient:
> 
> http://seclists.org/fulldisclosure/2013/Oct/146
the bug hit only the 2.x series, and if read the previous comments, you can give an answer

(In reply to gil cattaneo from comment #11)
> the bug hit only the 2.x series, and if read the previous comments, you can
> give an answer

Yes, I'm aware of that.  I was just noting followup information, not implying that 1.x was affected.