You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Markus Fischer <Ma...@knipp.de> on 2014/10/20 16:49:41 UTC
Struts2 Roadmap w.r.t. Dojo plugin (was Re: Is the Dojo plugin version
shipped with Struts 2.3.x vulnerable?)
Hi all.
>>> According to the Apache Struts 2 Documentation (see
>>> [1]), Struts 2.3.x ships with Dojo 0.4.3, which is vulnerable to two
>>> major security issues (CVE-2010-2276 and CVE-2010-2272, see [2]).
>> Probably it's a vulnerable version
> I'd add that since the plugin has been deprecated since S2.1 it's unlikely
> anything was ever done to deal with it.
Given that the plugin has been deprecated already, does anyone know for
which release the removal is planned? I was not able to find any
documentation regarding a Dojo plugin roadmap.
Cheers,
Markus
>> [1] http://struts.apache.org/release/2.3.x/docs/dojo-head.html
>>
>> [2]
>> http://www.cvedetails.com/vulnerability-list/vendor_id-7641/product_id-12940/version_id-70187/Dojotoolkit-Dojo-0.4.3.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts2 Roadmap w.r.t. Dojo plugin (was Re: Is the Dojo plugin
version shipped with Struts 2.3.x vulnerable?)
Posted by Pedro Gonzales <p....@gmail.com>.
Are the 2.2.x versions of struts 2 vulnerable?
On 10/20/2014 9:49 AM, Markus Fischer wrote:
> Hi all.
>
>>>> According to the Apache Struts 2 Documentation (see
>>>> [1]), Struts 2.3.x ships with Dojo 0.4.3, which is vulnerable to two
>>>> major security issues (CVE-2010-2276 and CVE-2010-2272, see [2]).
>>> Probably it's a vulnerable version
>> I'd add that since the plugin has been deprecated since S2.1 it's unlikely
>> anything was ever done to deal with it.
> Given that the plugin has been deprecated already, does anyone know for
> which release the removal is planned? I was not able to find any
> documentation regarding a Dojo plugin roadmap.
>
> Cheers,
> Markus
>
>>> [1] http://struts.apache.org/release/2.3.x/docs/dojo-head.html
>>>
>>> [2]
>>> http://www.cvedetails.com/vulnerability-list/vendor_id-7641/product_id-12940/version_id-70187/Dojotoolkit-Dojo-0.4.3.html
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts2 Roadmap w.r.t. Dojo plugin (was Re: Is the Dojo plugin
version shipped with Struts 2.3.x vulnerable?)
Posted by Lukasz Lenart <lu...@apache.org>.
2014-10-20 17:14 GMT+02:00 Markus Fischer <Ma...@knipp.de>:
> Am 20.10.2014 um 16:55 schrieb Lukasz Lenart:
>> 2014-10-20 16:49 GMT+02:00 Markus Fischer <Ma...@knipp.de>:
>>> Given that the plugin has been deprecated already, does anyone know for
>>> which release the removal is planned? I was not able to find any
>>> documentation regarding a Dojo plugin roadmap.
>>
>> As from version 2.5
>> https://cwiki.apache.org/confluence/display/WW/Struts+Next#StrutsNext-PlanforStruts2.5
>
> Thank you, Łukasz. That is the information I was looking for (although I
> was hoping for a 2.3.X or 2.4 answer ;-).
After releasing 2.3.18 I'm going to work on 2.5 - there be no 2.4
version as an indicator of large changes in 2.5 ;-) In some
circumstances we can release one more 2.3.x version
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts2 Roadmap w.r.t. Dojo plugin (was Re: Is the Dojo plugin
version shipped with Struts 2.3.x vulnerable?)
Posted by Markus Fischer <Ma...@knipp.de>.
Am 20.10.2014 um 16:55 schrieb Lukasz Lenart:
> 2014-10-20 16:49 GMT+02:00 Markus Fischer <Ma...@knipp.de>:
>> Given that the plugin has been deprecated already, does anyone know for
>> which release the removal is planned? I was not able to find any
>> documentation regarding a Dojo plugin roadmap.
>
> As from version 2.5
> https://cwiki.apache.org/confluence/display/WW/Struts+Next#StrutsNext-PlanforStruts2.5
Thank you, Łukasz. That is the information I was looking for (although I
was hoping for a 2.3.X or 2.4 answer ;-).
So, I second Dave's vote for a soon removal.
Thanks,
Markus
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts2 Roadmap w.r.t. Dojo plugin (was Re: Is the Dojo plugin
version shipped with Struts 2.3.x vulnerable?)
Posted by Lukasz Lenart <lu...@apache.org>.
2014-10-20 16:49 GMT+02:00 Markus Fischer <Ma...@knipp.de>:
> Given that the plugin has been deprecated already, does anyone know for
> which release the removal is planned? I was not able to find any
> documentation regarding a Dojo plugin roadmap.
As from version 2.5
https://cwiki.apache.org/confluence/display/WW/Struts+Next#StrutsNext-PlanforStruts2.5
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts2 Roadmap w.r.t. Dojo plugin (was Re: Is the Dojo plugin
version shipped with Struts 2.3.x vulnerable?)
Posted by Dave Newton <da...@gmail.com>.
I've been an advocate of not shipping it for some time now.
The fact that it's been deprecated and uses such an old version of
Dojo should be enough to dissuade usage, IMO, especially now that
there's a jQuery-based replacement.
I'd like to see it not ship at all.
Dave
On Mon, Oct 20, 2014 at 10:49 AM, Markus Fischer
<Ma...@knipp.de> wrote:
> Hi all.
>
>>>> According to the Apache Struts 2 Documentation (see
>>>> [1]), Struts 2.3.x ships with Dojo 0.4.3, which is vulnerable to two
>>>> major security issues (CVE-2010-2276 and CVE-2010-2272, see [2]).
>
>>> Probably it's a vulnerable version
>
>> I'd add that since the plugin has been deprecated since S2.1 it's unlikely
>> anything was ever done to deal with it.
>
> Given that the plugin has been deprecated already, does anyone know for
> which release the removal is planned? I was not able to find any
> documentation regarding a Dojo plugin roadmap.
>
> Cheers,
> Markus
>
>>> [1] http://struts.apache.org/release/2.3.x/docs/dojo-head.html
>>>
>>> [2]
>>> http://www.cvedetails.com/vulnerability-list/vendor_id-7641/product_id-12940/version_id-70187/Dojotoolkit-Dojo-0.4.3.html
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
--
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton
b: Bucky Bits
g: davelnewton
so: Dave Newton
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts2 Roadmap w.r.t. Dojo plugin (was Re: Is the Dojo plugin
version shipped with Struts 2.3.x vulnerable?)
Posted by Dave Newton <da...@gmail.com>.
The Dojo plugin hasn't been updated since... a long time. It still
uses an old version of Dojo.
On Mon, Oct 20, 2014 at 2:27 PM, Pedro Gonzales
<p....@gmail.com> wrote:
> Does anyone know if Struts 2.2.x is vulnerable or is this limited to 2.3.x?
>
> On 10/20/2014 9:49 AM, Markus Fischer wrote:
>>
>> Hi all.
>>
>>>>> According to the Apache Struts 2 Documentation (see
>>>>> [1]), Struts 2.3.x ships with Dojo 0.4.3, which is vulnerable to two
>>>>> major security issues (CVE-2010-2276 and CVE-2010-2272, see [2]).
>>>>
>>>> Probably it's a vulnerable version
>>>
>>> I'd add that since the plugin has been deprecated since S2.1 it's
>>> unlikely
>>> anything was ever done to deal with it.
>>
>> Given that the plugin has been deprecated already, does anyone know for
>> which release the removal is planned? I was not able to find any
>> documentation regarding a Dojo plugin roadmap.
>>
>> Cheers,
>> Markus
>>
>>>> [1] http://struts.apache.org/release/2.3.x/docs/dojo-head.html
>>>>
>>>> [2]
>>>>
>>>> http://www.cvedetails.com/vulnerability-list/vendor_id-7641/product_id-12940/version_id-70187/Dojotoolkit-Dojo-0.4.3.html
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>> For additional commands, e-mail: user-help@struts.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
--
e: davelnewton@gmail.com
m: 908-380-8699
s: davelnewton_skype
t: @dave_newton
b: Bucky Bits
g: davelnewton
so: Dave Newton
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Struts2 Roadmap w.r.t. Dojo plugin (was Re: Is the Dojo plugin
version shipped with Struts 2.3.x vulnerable?)
Posted by Pedro Gonzales <p....@gmail.com>.
Does anyone know if Struts 2.2.x is vulnerable or is this limited to 2.3.x?
On 10/20/2014 9:49 AM, Markus Fischer wrote:
> Hi all.
>
>>>> According to the Apache Struts 2 Documentation (see
>>>> [1]), Struts 2.3.x ships with Dojo 0.4.3, which is vulnerable to two
>>>> major security issues (CVE-2010-2276 and CVE-2010-2272, see [2]).
>>> Probably it's a vulnerable version
>> I'd add that since the plugin has been deprecated since S2.1 it's unlikely
>> anything was ever done to deal with it.
> Given that the plugin has been deprecated already, does anyone know for
> which release the removal is planned? I was not able to find any
> documentation regarding a Dojo plugin roadmap.
>
> Cheers,
> Markus
>
>>> [1] http://struts.apache.org/release/2.3.x/docs/dojo-head.html
>>>
>>> [2]
>>> http://www.cvedetails.com/vulnerability-list/vendor_id-7641/product_id-12940/version_id-70187/Dojotoolkit-Dojo-0.4.3.html
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org