You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Lukasz Lenart <lu...@apache.org> on 2017/07/11 07:17:05 UTC
[VOTE][FASTTRACK] Struts 2.3.33
The Apache Struts 2.3.33 test build is now available. With this
release the following security vulnerability was addressed:
- Possible RCE in the Struts Showcase app in the Struts 1 plugin
example in Struts 2.3.x series, see
https://cwiki.apache.org/confluence/display/WW/S2-048
- A DoS attack is available for Spring secured actions, see
https://cwiki.apache.org/confluence/display/WW/S2-048
Except that, the following issues were also addressed:
Bug
[WW-4735] - EmailValidator does not accept new domain suffixes
[WW-4770] - Revision number still missing from dojo.js and
dojo.js.uncompressed.js
[WW-4802] - Strange Behavior Parsing Action Requests
Release notes:
* https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.33
Distribution:
* https://dist.apache.org/repos/dist/dev/struts/2.3.33/
Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/
Once you have had a chance to review the test build, please respond
with a vote on its quality:
[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)
Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.
The vote will remain open for at least 24 hours, longer upon request.
A vote can be amended at any time to upgrade or downgrade the quality
of the release based on future experience. If an initial vote
designates the build as "Beta", the release will be submitted for
mirroring and announced to the user list. Once released as a public
beta, subsequent quality votes on a build may be held on the user
list.
As always, the act of voting carries certain obligations. A binding
vote not only states an opinion, but means that the voter is agreeing
to help do the work.
Kind regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.33
Posted by Yasser Zamani <ya...@live.com>.
On 7/11/2017 11:47 AM, Lukasz Lenart wrote:
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [X] General Availability (GA)
+1 (non binding)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.33
Posted by Lukasz Lenart <lu...@apache.org>.
Still one binding vote is missing :(
2017-07-11 9:17 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> The Apache Struts 2.3.33 test build is now available. With this
> release the following security vulnerability was addressed:
>
> - Possible RCE in the Struts Showcase app in the Struts 1 plugin
> example in Struts 2.3.x series, see
> https://cwiki.apache.org/confluence/display/WW/S2-048
> - A DoS attack is available for Spring secured actions, see
> https://cwiki.apache.org/confluence/display/WW/S2-048
>
> Except that, the following issues were also addressed:
>
> Bug
> [WW-4735] - EmailValidator does not accept new domain suffixes
> [WW-4770] - Revision number still missing from dojo.js and
> dojo.js.uncompressed.js
> [WW-4802] - Strange Behavior Parsing Action Requests
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.33
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.33/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> The vote will remain open for at least 24 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
>
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.33
Posted by Lukasz Lenart <lu...@apache.org>.
2017-07-11 12:19 GMT+02:00 Greg Huber <gr...@gmail.com>:
> ..I have tried to get this working on my 2.5.x setup but failed, so I am
> unable to test this release now.
>
> The dtd definition now seems mandatory in the struts.xml, so I would have
> to remove all my 2.5.x entries to get it to work.
They are not mandatory but rather 2.3.x doesn't know how to handle 2.5
DTDs, it misses this entry
https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/config/StrutsXmlConfigurationProvider.java#L78
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [VOTE][FASTTRACK] Struts 2.3.33
Posted by Greg Huber <gr...@gmail.com>.
..I have tried to get this working on my 2.5.x setup but failed, so I am
unable to test this release now.
The dtd definition now seems mandatory in the struts.xml, so I would have
to remove all my 2.5.x entries to get it to work.
On 11 July 2017 at 08:17, Lukasz Lenart <lu...@apache.org> wrote:
> The Apache Struts 2.3.33 test build is now available. With this
> release the following security vulnerability was addressed:
>
> - Possible RCE in the Struts Showcase app in the Struts 1 plugin
> example in Struts 2.3.x series, see
> https://cwiki.apache.org/confluence/display/WW/S2-048
> - A DoS attack is available for Spring secured actions, see
> https://cwiki.apache.org/confluence/display/WW/S2-048
>
> Except that, the following issues were also addressed:
>
> Bug
> [WW-4735] - EmailValidator does not accept new domain suffixes
> [WW-4770] - Revision number still missing from dojo.js and
> dojo.js.uncompressed.js
> [WW-4802] - Strange Behavior Parsing Action Requests
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.33
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.33/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> The vote will remain open for at least 24 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
>
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [VOTE][FASTTRACK] Struts 2.3.33
Posted by Christoph Nenning <Ch...@lex-com.net>.
[ ] Leave at test build
[ ] Alpha
[ ] Beta
[X] General Availability (GA)
+1, binding
Regards,
Christoph
>
> The Apache Struts 2.3.33 test build is now available. With this
> release the following security vulnerability was addressed:
>
> - Possible RCE in the Struts Showcase app in the Struts 1 plugin
> example in Struts 2.3.x series, see
> https://cwiki.apache.org/confluence/display/WW/S2-048
> - A DoS attack is available for Spring secured actions, see
> https://cwiki.apache.org/confluence/display/WW/S2-048
>
> Except that, the following issues were also addressed:
>
> Bug
> [WW-4735] - EmailValidator does not accept new domain suffixes
> [WW-4770] - Revision number still missing from dojo.js and
> dojo.js.uncompressed.js
> [WW-4802] - Strange Behavior Parsing Action Requests
>
> Release notes:
> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.33
>
> Distribution:
> * https://dist.apache.org/repos/dist/dev/struts/2.3.33/
>
> Maven 2 staging repository:
> * https://repository.apache.org/content/repositories/staging/
>
> Once you have had a chance to review the test build, please respond
> with a vote on its quality:
>
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [ ] General Availability (GA)
>
> Everyone who has tested the build is invited to vote. Votes by PMC
> members are considered binding. A vote passes if there are at least
> three binding +1s and more +1s than -1s.
>
> The vote will remain open for at least 24 hours, longer upon request.
> A vote can be amended at any time to upgrade or downgrade the quality
> of the release based on future experience. If an initial vote
> designates the build as "Beta", the release will be submitted for
> mirroring and announced to the user list. Once released as a public
> beta, subsequent quality votes on a build may be held on the user
> list.
>
> As always, the act of voting carries certain obligations. A binding
> vote not only states an opinion, but means that the voter is agreeing
> to help do the work.
>
>
> Kind regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
This Email was scanned by Sophos Anti Virus
Re: [VOTE][FASTTRACK] Struts 2.3.33
Posted by Lukasz Lenart <lu...@apache.org>.
2017-07-11 9:17 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> [ ] Leave at test build
> [ ] Alpha
> [ ] Beta
> [X] General Availability (GA)
+1 (binding)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org