You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by rg...@apache.org on 2019/08/15 07:52:05 UTC
[struts-site] branch master updated: Update site for S2-058
This is an automated email from the ASF dual-hosted git repository.
rgielen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/master by this push:
new 7f8994e Update site for S2-058
7f8994e is described below
commit 7f8994e6f1f4993bbe63bc32a055cac91342ece0
Author: Rene Gielen <re...@gmail.com>
AuthorDate: Thu Aug 15 09:51:43 2019 +0200
Update site for S2-058
---
source/announce.md | 19 +++++++++++++++++++
source/index.html | 8 ++++++++
2 files changed, 27 insertions(+)
diff --git a/source/announce.md b/source/announce.md
index 66f8957..c23fa36 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -13,6 +13,25 @@ title: Announcements 2019
Skip to: <a href="announce-2018.html">Announcements - 2018</a>
</p>
+#### 15 August 2019 - Security Advice: Announcing corrected affected version ranges in historic Apache Struts security bulletins and CVE entries {#a20190815}
+
+The Apache Struts Security team would like to announce that a number of historic [Struts Security Bulletins](https://cwiki.apache.org/confluence/display/WW/Security+Bulletin) and related CVE database entries contained incorrect affected release version ranges.
+
+The issue was reported by Christopher Fearon and the Black Duck Research Team within the Synopsys Cybersecurity Research Center. The reporting entity conducted thorough investigations on this matter, leading to a report to the Apache Struts Security Team. The Apache Struts Security Team worked with the reporters to cross-check said issues and map them to affected Apache Struts General Availability (GA) releases.
+
+This effort led to the issue of Struts Security Bulletin S2-058, referencing 15 historic Struts Security Bulletins and [respective CVE entries](https://github.com/CVEProject/cvelist/pull/2423/files) that have been updated to reflect corrections in affected GA version ranges as well as minimum GA versions to contain appropriate fixes for the issues at hand.
+
+The full Security Bulletin can be found here:
+
+[Apache Struts Security Buletin S2-058](https://cwiki.apache.org/confluence/display/WW/S2-058)
+
+The Struts Security Team stresses that while the reporters reference more affected issues and resulting affected version ranges, the Struts Security Bulletins only cover GA versions designated for production use. This led to less corrected Security Bulletins and CVE entries compared to the number of covered issues in the original report.
+
+It is very important to understand that while the individual listed bulletins contain updated minimum fix versions, it is strongly recommended to update to the version recommended by the latest Security Bulletin, which is [S2-057](https://cwiki.apache.org/confluence/display/WW/S2-057) by the time of this announcement. Following this advice, the recommended minimum Struts versions to operate in production are Struts 2.3.35 or Struts 2.5.17.
+
+The Apache Struts Security Team would like to thank the reporters for their efforts and their practice of responsible disclosure, as well as their help while investigating the report and coordinating public disclosure.
+
+
#### 14 January 2019 - Struts 2.5.20 General Availability {#a20190114}
The Apache Struts group is pleased to announce that Struts 2.5.20 is available as a "General Availability"
diff --git a/source/index.html b/source/index.html
index 6084881..46636c3 100644
--- a/source/index.html
+++ b/source/index.html
@@ -66,6 +66,14 @@ title: Welcome to the Apache Struts project
</p>
</div>
<div class="column col-md-4">
+ <h2>Security Advice S2-058 released</h2>
+ <p>
+ A number of historic Struts Security Bulletins and related CVE database entries contained incorrect affected release version ranges.
+ Read more in
+ <a href="announce#a20190815">Announcement</a>
+ </p>
+ </div>
+ <div class="column col-md-4">
</div>
</div>
</div>