You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Doug Erickson <do...@part.net> on 2016/04/27 01:04:46 UTC
Confusion on Security Bulletin fix versions
On the Struts home page, it says, "We have released two older versions of
Apache Struts which *contain the latest security fixes.* Please read
announcement for* 2.3.20.3* ..."
Those notes say, "This release addresses *two* potential security
vulnerabilities," and then lists three issues, S2-029, S2-031, and S2-032.
The notes for S2-029 say to use version 2.3.28, and the notes for S2-031
and S2-032 say to use version 2.3.20*.2. *S2-030 only mentions 2.3.28.
I really appreciate the maintenance of the older releases. Specifically,
changes in OGNL 3.0.13 cause some failures that are hard to find
statically, and perhaps other incompatibilities lurk in newer versions.
I am safe to take the announcement at face value, and assume that 2.3.20.3
contains fixes for all known vulnerabilities, disregarding the details of
the bulletins themselves? Is there a plan to provide security updates for
2.3.20 and 2.3.24? How long will they be supported?
Thanks for the help!
Doug
Re: Confusion on Security Bulletin fix versions
Posted by Lukasz Lenart <lu...@apache.org>.
2016-04-27 1:04 GMT+02:00 Doug Erickson <do...@part.net>:
> On the Struts home page, it says, "We have released two older versions of
> Apache Struts which *contain the latest security fixes.* Please read
> announcement for* 2.3.20.3* ..."
>
> Those notes say, "This release addresses *two* potential security
> vulnerabilities," and then lists three issues, S2-029, S2-031, and S2-032.
Fixed, it supposed to be "three"
> The notes for S2-029 say to use version 2.3.28, and the notes for S2-031
> and S2-032 say to use version 2.3.20*.2. *S2-030 only mentions 2.3.28.
Also fixed, there was a bug discovered in 2.3.20.2 and 2.3.20.2 and
that's why new versions were released - 2.3.20.3 & 2.3.24.3
> I really appreciate the maintenance of the older releases. Specifically,
> changes in OGNL 3.0.13 cause some failures that are hard to find
> statically, and perhaps other incompatibilities lurk in newer versions.
Yes, that was the main reason to release also two older versions which
already use Internal Security Mechanism. The changes in OGNL play
nicely with it.
> I am safe to take the announcement at face value, and assume that 2.3.20.3
> contains fixes for all known vulnerabilities, disregarding the details of
> the bulletins themselves? Is there a plan to provide security updates for
> 2.3.20 and 2.3.24? How long will they be supported?
Not exactly, S2-030 wasn't addressed in 2.3.20.3 and 2.3.24.3 as we
assumed it is a low risk vulnerability and in most cases everybody is
using UTF-8 encoding or latest Java version.
There is no plans to support 2.3.20.x and 2.3.24.x in the future, we
assume that each user should migrate to the latest available version
in 2.3.x branch which is 2.3.28.1.
2.3.20.3 & 2.3.24.3 were released as the fix was quite easy and should
secure users for long time against possible further RCE attacks (the
same as Internal Security Mechanism). And those versions are used the
most (I mean 2.3.20 & 2.3.24) based on Maven Central statistics.
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org