You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by ya...@apache.org on 2018/08/22 07:20:12 UTC
[struts-site] branch master updated: release 2.5.17 and 2.3.35
This is an automated email from the ASF dual-hosted git repository.
yasserzamani pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/master by this push:
new 1f66ba6 release 2.5.17 and 2.3.35
1f66ba6 is described below
commit 1f66ba6028734438164834675cb7d11be4e75b9c
Author: Yasser Zamani <ya...@apache.org>
AuthorDate: Wed Aug 22 11:44:37 2018 +0430
release 2.5.17 and 2.3.35
---
_config.yml | 12 ++++++----
source/announce.md | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++
source/download.html | 40 ++++++++++++++++----------------
source/index.html | 14 +++++------
source/releases.html | 13 +++++++++++
5 files changed, 113 insertions(+), 31 deletions(-)
diff --git a/_config.yml b/_config.yml
index d69c392..dca449a 100644
--- a/_config.yml
+++ b/_config.yml
@@ -10,13 +10,17 @@ kramdown:
syntax_highlighter: rouge
# Simplifies introducing changes related to the latest release
-current_version: 2.5.16
-current_version_short: 2516
+current_version: 2.5.17
+current_version_short: 2517
+prev_version: 2.3.35
+prev_version_short: 2335
archetype_version: 2.5.14
current_beta_version: 2.5-BETA3
current_beta_version_short: 25B3
-release_date: 16 March 2018
-release_date_short: 20180316
+release_date: 22 August 2018
+release_date_short: 20180822
+prev_release_date: 22 August 2018
+prev_release_date_short: 20180822
beta_release_date_short: 20160126
# Allows directly edit pages on GitHub
diff --git a/source/announce.md b/source/announce.md
index e9b7f7e..805e44d 100644
--- a/source/announce.md
+++ b/source/announce.md
@@ -13,6 +13,71 @@ title: Announcements 2018
Skip to: <a href="announce-2017.html">Announcements - 2017</a>
</p>
+#### 22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 {#a20180822-0}
+
+CVEID:CVE-2018-11776
+
+PRODUCT:Apache Struts
+
+VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16
+
+PROBLEMTYPE:Remote Code Execution
+
+REFERENCES:[S2-057]({{ site.wiki_url }}/S2-057)
+
+DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 2.3 to 2.3.34 and
+2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its
+upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action
+set and in same time, its upper action(s) have no or wildcard namespace.
+
+#### 22 August 2018 - Struts 2.5.17 General Availability {#a20180822-1}
+
+The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a "General Availability"
+release. The GA designation is our highest quality grade.
+
+In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:
+
+- Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or
+wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - [S2-057]({{ site.wiki_url }}/S2-057)
+
+Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from building, to deploying,
+to maintaining applications over time.
+
+**All developers are strongly advised to perform this action.**
+
+The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 7.
+
+Should any issues arise with your use of any version of the Struts framework, please post your comments
+to the user list, and, if appropriate, file a tracking ticket.
+
+You can download this version from our [download](download.cgi#struts-ga) page.
+
+#### 22 August 2018 - Struts 2.3.35 General Availability {#a20180822-2}
+
+The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a "General Availability"
+release. The GA designation is our highest quality grade.
+
+In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:
+
+- Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or
+wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - [S2-057]({{ site.wiki_url }}/S2-057)
+
+Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.
+The framework is designed to streamline the full development cycle, from building, to deploying,
+to maintaining applications over time.
+
+**All developers are strongly advised to perform this action.**
+
+The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 6.
+
+Should any issues arise with your use of any version of the Struts framework, please post your comments
+to the user list, and, if appropriate, file a tracking ticket.
+
+You can download this version from our [download](download.cgi#struts-23x) page.
+
#### 27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin {#a20180327}
The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released
diff --git a/source/download.html b/source/download.html
index b3e3420..9b325d2 100644
--- a/source/download.html
+++ b/source/download.html
@@ -141,19 +141,19 @@ title: Download a Release
</ul>
-<h3 id="struts-23x">Struts 2.3.34</h3>
+<h3 id="struts-23x">Struts {{ site.prev_version }}</h3>
<ul>
<li>
- <a href="https://struts.apache.org/docs/version-notes-2334.html">Version Notes</a>
+ <a href="{{ site.wiki_url }}/Version+Notes+{{ site.prev_version }}">Version Notes</a>
</li>
<li>Full Distribution:
<ul>
<li>
- <a href="[preferred]struts/2.3.34/struts-2.3.34-all.zip">struts-2.3.34-all.zip</a> (65MB)
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-all.zip.asc">PGP</a>]
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-all.zip.md5">MD5</a>]
+ <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-all.zip">struts-{{ site.prev_version }}-all.zip</a> (65MB)
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-all.zip.asc">PGP</a>]
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-all.zip.md5">MD5</a>]
</li>
</ul>
</li>
@@ -161,9 +161,9 @@ title: Download a Release
<li>Example Applications:
<ul>
<li>
- <a href="[preferred]struts/2.3.34/struts-2.3.34-apps.zip">struts-2.3.34-apps.zip</a> (35MB)
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-apps.zip.asc">PGP</a>]
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-apps.zip.md5">MD5</a>]
+ <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-apps.zip">struts-{{ site.prev_version }}-apps.zip</a> (35MB)
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-apps.zip.asc">PGP</a>]
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-apps.zip.md5">MD5</a>]
</li>
</ul>
</li>
@@ -171,9 +171,9 @@ title: Download a Release
<li>Essential Dependencies Only:
<ul>
<li>
- <a href="[preferred]struts/2.3.34/struts-2.3.34-min-lib.zip">struts-2.3.34-min-lib.zip</a> (4MB)
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-min-lib.zip.asc">PGP</a>]
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-min-lib.zip.md5">MD5</a>]
+ <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-min-lib.zip">struts-{{ site.prev_version }}-min-lib.zip</a> (4MB)
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-min-lib.zip.asc">PGP</a>]
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-min-lib.zip.md5">MD5</a>]
</li>
</ul>
</li>
@@ -181,9 +181,9 @@ title: Download a Release
<li>All Dependencies:
<ul>
<li>
- <a href="[preferred]struts/2.3.34/struts-2.3.34-lib.zip">struts-2.3.34-lib.zip</a> (19MB)
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-lib.zip.asc">PGP</a>]
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-lib.zip.md5">MD5</a>]
+ <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-lib.zip">struts-{{ site.prev_version }}-lib.zip</a> (19MB)
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-lib.zip.asc">PGP</a>]
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-lib.zip.md5">MD5</a>]
</li>
</ul>
</li>
@@ -191,9 +191,9 @@ title: Download a Release
<li>Documentation:
<ul>
<li>
- <a href="[preferred]struts/2.3.34/struts-2.3.34-docs.zip">struts-2.3.34-docs.zip</a> (13MB)
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-docs.zip.asc">PGP</a>]
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-docs.zip.md5">MD5</a>]
+ <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-docs.zip">struts-{{ site.prev_version }}-docs.zip</a> (13MB)
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-docs.zip.asc">PGP</a>]
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-docs.zip.md5">MD5</a>]
</li>
</ul>
</li>
@@ -201,9 +201,9 @@ title: Download a Release
<li>Source:
<ul>
<li>
- <a href="[preferred]struts/2.3.34/struts-2.3.34-src.zip">struts-2.3.34-src.zip</a> (7MB)
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-src.zip.asc">PGP</a>]
- [<a href="https://www.apache.org/dist/struts/2.3.34/struts-2.3.34-src.zip.md5">MD5</a>]
+ <a href="[preferred]struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-src.zip">struts-{{ site.prev_version }}-src.zip</a> (7MB)
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-src.zip.asc">PGP</a>]
+ [<a href="https://www.apache.org/dist/struts/{{ site.prev_version }}/struts-{{ site.prev_version }}-src.zip.md5">MD5</a>]
</li>
</ul>
</li>
diff --git a/source/index.html b/source/index.html
index ed46171..ecbf42b 100644
--- a/source/index.html
+++ b/source/index.html
@@ -40,15 +40,15 @@ title: Welcome to the Apache Struts project
<p>
Apache Struts {{ site.current_version }} GA has been released<br/>on {{ site.release_date }}.
</p>
- Read more in <a href="announce.html#a{{ site.release_date_short }}">Announcement</a> or in
+ Read more in <a href="announce.html#a{{ site.release_date_short }}-1">Announcement</a> or in
<a href="{{ site.wiki_url }}/Version+Notes+{{ site.current_version }}">Version notes</a>
</div>
<div class="column col-md-4">
- <h2>Apache Struts 2.3.34 GA</h2>
+ <h2>Apache Struts {{ site.prev_version }} GA</h2>
<p>
It's the latest release of Struts 2.3.x which contains the latest security fixes,
- read more in <a href="announce-2017.html#a20170907">Announcement</a> or in
- <a href="/docs/version-notes-2334.html">Version notes</a>
+ released on {{ site.prev_release_date }}.<br/> Read more in <a href="announce.html#a{{ site.prev_release_date_short }}-2">Announcement</a> or in
+ <a href="{{ site.wiki_url }}/Version+Notes+{{ site.prev_version }}">Version notes</a>
</p>
</div>
</div>
@@ -72,11 +72,11 @@ title: Welcome to the Apache Struts project
</p>
</div>
<div class="column col-md-4">
- <h2>A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin</h2>
+ <h2>Immediately upgrade to version {{ site.current_version }} or {{ site.prev_version }}</h2>
<p>
The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use
- the latest released version of the Apache Struts to prevent possible DoS attack when using the REST plugin.
- <a href="announce.html#a20180327">Announcement</a>
+ the latest released version of the Apache Struts to prevent possible RCE attack when using results with no namespace,
+ reported in <a href="{{ site.wiki_url }}/S2-057">S2-057</a>. Read more in <a href="announce.html#a{{ site.release_date_short }}-0">Announcement</a>.
</p>
</div>
</div>
diff --git a/source/releases.html b/source/releases.html
index 57f29fb..1badc7b 100644
--- a/source/releases.html
+++ b/source/releases.html
@@ -107,6 +107,18 @@ title: Releases
<tbody>
<tr>
<td class="no-wrap">
+ Struts 2.5.16
+ </td>
+ <td class="no-wrap">16 March 2018</td>
+ <td>
+ <a href="{{ site.wiki_url }}/S2-057">S2-057</a>
+ </td>
+ <td>
+ <a href="{{ site.wiki_url }}/Version+Notes+2.5.16">Version notes</a>
+ </td>
+ </tr>
+ <tr>
+ <td class="no-wrap">
Struts 2.5.14.1
</td>
<td class="no-wrap">30 November 2017</td>
@@ -136,6 +148,7 @@ title: Releases
</td>
<td class="no-wrap">7 September 2017</td>
<td>
+ <a href="{{ site.wiki_url }}/S2-057">S2-057</a>
</td>
<td>
<a href="{{ site.wiki_url }}/Version+Notes+2.3.34">Version notes</a>