You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@velocity.apache.org by "Aaron Katz (JIRA)" <de...@velocity.apache.org> on 2017/03/09 20:33:38 UTC
[jira] [Comment Edited] (VELTOOLS-171) Upgrade to supported, secure
version of Struts
[ https://issues.apache.org/jira/browse/VELTOOLS-171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15903787#comment-15903787 ]
Aaron Katz edited comment on VELTOOLS-171 at 3/9/17 8:32 PM:
-------------------------------------------------------------
-To make sure I understand this correctly, does this mean that in 2.1, there will be no more dependency on struts?- (sorry, I misread Michael's comment, prior question can be ignored. New questions copied from the other ticket, since they're relevant here, too)
Thanks! This raises a few questions for me:
* When is 3.0 expected to release?
* Did the removal of Validator also occur in VelocityTools 2.1 or 2.2?
* If not, will 2.x enter end of life as the method to deal with this vulnerability, or will the changes be backported?
* Is there an ETA for when 3.0 will be available?
was (Author: tsohlacol):
To make sure I understand this correctly, does this mean that in 2.1, there will be no more dependency on struts?
> Upgrade to supported, secure version of Struts
> ----------------------------------------------
>
> Key: VELTOOLS-171
> URL: https://issues.apache.org/jira/browse/VELTOOLS-171
> Project: Velocity Tools
> Issue Type: Bug
> Components: VelocityStruts
> Affects Versions: 2.0, 2.0.x, 2.1, 2.x
> Reporter: Aaron Katz
> Labels: security
>
> *Please upgrade struts to a supported, secure version*. At this time, that means upgrading to 2.3.32 or 2.5.10.1
> h2. vulnerabilities
> There are publicly known high severity vulnerabilities, including remote code execution vulns, affecting all versions of Struts 2 except the versions cited above.
> * https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_vendor=cpe%3a%2f%3aapache&cpe_product=cpe%3a%2f%3a%3astruts&cvss_version=3&cve_id=
> * (details not yet in NVD) https://cwiki.apache.org/confluence/display/WW/S2-045
> h2. support
> Apache struts 1 [reached end of life in the year 2000|https://struts.apache.org/struts1eol-announcement.html], but [VelocityTools depends upon Struts 1.3.8|http://velocity.apache.org/tools/2.0/dependencies.html].
> When vulnerabilities are discovered in unsupported software, the industry standard response is "you need to patch to a supported version." If you get too far behind in patch levels, then it may be very difficult to upgrade due to broken backwards compatibility.
> Furthermore, when vulnerabilities are discovered in supported software, there is no industry standard for determining if it affects unsupported versions. It's entirely possible that there are known vulnerabilities that affect the unsupported Struts 1.3.8 required by Velocity, and nobody will know until they're breached. On the other hand, when there's a supported major version, it's a de-facto industry standard to announce all supported versions that are affected. This means that staying on a supported version increases the chances of seeing vulnerability announcements for vulns that affect Velocity. It also means that staying on an unsupported version is considered equivalent to staying on a known vulnerable version.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@velocity.apache.org
For additional commands, e-mail: dev-help@velocity.apache.org