You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Lukasz Lenart <lu...@apache.org> on 2017/09/06 19:29:16 UTC
Re: [CLOSED][VOTE][FASTTRACK] Struts 2.3.34
Vote passed with result:
+1 (binding) x3
+1 (non-binding) x1
Thanks & regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2017-09-06 7:28 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> The Apache Struts 2.3.34 test build is now available. This release
> also contains backports from Struts 2.5.12 for the following security
> vulnerabilities:
>
> - A regular expression Denial of Service when using URLValidator
> (similar to S2-044 & S2-047),
> see https://cwiki.apache.org/confluence/display/WW/S2-050
> - A remote attacker may create a DoS attack by sending crafted xml
> request when using the Struts REST plugin,
> see https://cwiki.apache.org/confluence/display/WW/S2-051
> - Possible Remote Code Execution attack when using the Struts REST
> plugin with XStream handler to handle XML payloads,
> see https://cwiki.apache.org/confluence/display/WW/S2-048
>
> Except that, the following issues were also addressed:
>
> Bug
> [WW-4176] - Struts2 JSON Plugin: Send Map with Strings as Key to JSON
> Action is ignored, Numeric Keys will work and mapped
> [WW-4817] - Threads get blocked due to unnecessary synchronization in
> OgnlRuntime
>
> Dependency
> [WW-4832] - Upgrade to OGNL 3.0.21
> [WW-4844] - Upgrade to struts-master 11
>
> Improvement
> [WW-4834] - Improve RegEx used to validate URLs
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.34/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> The vote will remain open for at least 24 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
>
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org