You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Lukasz Lenart <lu...@apache.org> on 2014/03/06 10:04:12 UTC
[ANN] Struts 2.3.16.1 GA release available - security fix
The Apache Struts group is pleased to announce that Struts 2.3.16.1 is
available as a "General Availability" release.The GA designation is
our highest quality grade.
Apache Struts 2 is an elegant, extensible framework for creating
enterprise-ready Java web applications. The framework is designed to
streamline the full development cycle, from building, to deploying, to
maintaining applications over time.
This release includes important security fixes:
- S2-020 - ClassLoader manipulation via request parameters
- upgraded Commons FileUpload library to prevent DoS attacks
* http://struts.apache.org/release/2.3.x/docs/s2-020.html
All developers are strongly advised to update existing Struts 2
applications to Struts 2.3.16.1
Struts 2.3.16.1 is available in a full distribution, or as separate
library, source, example and documentation distributions, from the
releases page.
* http://struts.apache.org/download.cgi#struts23161
The release is also available from the central Maven repository under
Group ID "org.apache.struts".
The 2.3.x series of the Apache Struts framework has a minimum
requirement of the following specification versions:
* Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
* Java 2 Standard Platform Edition (J2SE) 5
The release notes are available online at:
* http://struts.apache.org/release/2.3.x/docs/version-notes-23161.html
Should any issues arise with your use of any version of the Struts
framework, please post your comments to the user list, and, if
appropriate, file a tracking ticket.appropriate, file a tracking
ticket:
* https://issues.apache.org/jira/browse/WW
- The Apache Struts group.
Regards
--
Ćukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [Full-disclosure] [ANN] Struts 2.3.16.1 GA release available -
security fix
Posted by Lukasz Lenart <lu...@apache.org>.
No, rather no. You gain access to ClassLoader.
2014-03-06 16:43 GMT+01:00 Tim <ti...@sentinelchicken.org>:
>
>> This release includes important security fixes:
>> - S2-020 - ClassLoader manipulation via request parameters
>
> What is the ultimate impact of this manipulation? Another RCE bug?
>
> tim
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [Full-disclosure] [ANN] Struts 2.3.16.1 GA release available -
security fix
Posted by Lukasz Lenart <lu...@apache.org>.
No, rather no. You gain access to ClassLoader.
2014-03-06 16:43 GMT+01:00 Tim <ti...@sentinelchicken.org>:
>
>> This release includes important security fixes:
>> - S2-020 - ClassLoader manipulation via request parameters
>
> What is the ultimate impact of this manipulation? Another RCE bug?
>
> tim
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [Full-disclosure] [ANN] Struts 2.3.16.1 GA release available -
security fix
Posted by Tim <ti...@sentinelchicken.org>.
> This release includes important security fixes:
> - S2-020 - ClassLoader manipulation via request parameters
What is the ultimate impact of this manipulation? Another RCE bug?
tim
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: [Full-disclosure] [ANN] Struts 2.3.16.1 GA release available -
security fix
Posted by Tim <ti...@sentinelchicken.org>.
> This release includes important security fixes:
> - S2-020 - ClassLoader manipulation via request parameters
What is the ultimate impact of this manipulation? Another RCE bug?
tim
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [ANN] Struts 2.3.16.1 GA release available - security fix
Posted by JOSE L MARTINEZ-AVIAL <jl...@gmail.com>.
Oh, thanks. I was looking on
http://mvnrepository.com/artifact/org.apache.struts/struts2-core, not on
maven.org. I got it now.
JL
2014-03-07 11:50 GMT-05:00 Lukasz Lenart <lu...@apache.org>:
> It is
>
> http://search.maven.org/#artifactdetails%7Corg.apache.struts%7Cstruts2-core%7C2.3.16.1%7Cjar
>
> 2014-03-07 17:41 GMT+01:00 JOSE L MARTINEZ-AVIAL <jl...@gmail.com>:
> > Hi Lukasz,
> > The version 2.3.16.1 is not available yet in Maven repository. When do
> you
> > think it will be available?
> >
> > Thanks
> >
> > JL
> >
> >
> > 2014-03-06 12:27 GMT-05:00 Lukasz Lenart <lu...@apache.org>:
> >
> >> Ok, thanks!
> >>
> >> 2014-03-06 18:23 GMT+01:00 Mark Thomas <ma...@apache.org>:
> >> > On 06/03/2014 17:08, Lukasz Lenart wrote:
> >> >> So who's the reporter?
> >> >
> >> > We (the ASF) know who discovered CVE-2014-0050 but they have not given
> >> > permission to be named. The only public credit information is that
> which
> >> > was published for CVE-2014-0050.
> >> >
> >> > Mark
> >> >
> >> >>
> >> >> 2014-03-06 16:54 GMT+01:00 Mark Thomas <ma...@apache.org>:
> >> >>> On 06/03/2014 09:04, Lukasz Lenart wrote:
> >> >>>> This release includes important security fixes:
> >> >>>> - S2-020 - ClassLoader manipulation via request parameters
> >> >>>> - upgraded Commons FileUpload library to prevent DoS attacks
> >> >>>>
> >> >>>> * http://struts.apache.org/release/2.3.x/docs/s2-020.html
> >> >>>
> >> >>> Please remove my name from the reporters. I just forwarded the
> e-mail
> >> >>> that the security team received. I do not deserve any of the credit
> for
> >> >>> discovering this issue.
> >> >>>
> >> >>> Mark
> >> >>>
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: security-unsubscribe@apache.org
> >> >> For additional commands, e-mail: security-help@apache.org
> >> >>
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [ANN] Struts 2.3.16.1 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
It is
http://search.maven.org/#artifactdetails%7Corg.apache.struts%7Cstruts2-core%7C2.3.16.1%7Cjar
2014-03-07 17:41 GMT+01:00 JOSE L MARTINEZ-AVIAL <jl...@gmail.com>:
> Hi Lukasz,
> The version 2.3.16.1 is not available yet in Maven repository. When do you
> think it will be available?
>
> Thanks
>
> JL
>
>
> 2014-03-06 12:27 GMT-05:00 Lukasz Lenart <lu...@apache.org>:
>
>> Ok, thanks!
>>
>> 2014-03-06 18:23 GMT+01:00 Mark Thomas <ma...@apache.org>:
>> > On 06/03/2014 17:08, Lukasz Lenart wrote:
>> >> So who's the reporter?
>> >
>> > We (the ASF) know who discovered CVE-2014-0050 but they have not given
>> > permission to be named. The only public credit information is that which
>> > was published for CVE-2014-0050.
>> >
>> > Mark
>> >
>> >>
>> >> 2014-03-06 16:54 GMT+01:00 Mark Thomas <ma...@apache.org>:
>> >>> On 06/03/2014 09:04, Lukasz Lenart wrote:
>> >>>> This release includes important security fixes:
>> >>>> - S2-020 - ClassLoader manipulation via request parameters
>> >>>> - upgraded Commons FileUpload library to prevent DoS attacks
>> >>>>
>> >>>> * http://struts.apache.org/release/2.3.x/docs/s2-020.html
>> >>>
>> >>> Please remove my name from the reporters. I just forwarded the e-mail
>> >>> that the security team received. I do not deserve any of the credit for
>> >>> discovering this issue.
>> >>>
>> >>> Mark
>> >>>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: security-unsubscribe@apache.org
>> >> For additional commands, e-mail: security-help@apache.org
>> >>
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [ANN] Struts 2.3.16.1 GA release available - security fix
Posted by JOSE L MARTINEZ-AVIAL <jl...@gmail.com>.
Hi Lukasz,
The version 2.3.16.1 is not available yet in Maven repository. When do you
think it will be available?
Thanks
JL
2014-03-06 12:27 GMT-05:00 Lukasz Lenart <lu...@apache.org>:
> Ok, thanks!
>
> 2014-03-06 18:23 GMT+01:00 Mark Thomas <ma...@apache.org>:
> > On 06/03/2014 17:08, Lukasz Lenart wrote:
> >> So who's the reporter?
> >
> > We (the ASF) know who discovered CVE-2014-0050 but they have not given
> > permission to be named. The only public credit information is that which
> > was published for CVE-2014-0050.
> >
> > Mark
> >
> >>
> >> 2014-03-06 16:54 GMT+01:00 Mark Thomas <ma...@apache.org>:
> >>> On 06/03/2014 09:04, Lukasz Lenart wrote:
> >>>> This release includes important security fixes:
> >>>> - S2-020 - ClassLoader manipulation via request parameters
> >>>> - upgraded Commons FileUpload library to prevent DoS attacks
> >>>>
> >>>> * http://struts.apache.org/release/2.3.x/docs/s2-020.html
> >>>
> >>> Please remove my name from the reporters. I just forwarded the e-mail
> >>> that the security team received. I do not deserve any of the credit for
> >>> discovering this issue.
> >>>
> >>> Mark
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: security-unsubscribe@apache.org
> >> For additional commands, e-mail: security-help@apache.org
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>
Re: [ANN] Struts 2.3.16.1 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
Ok, thanks!
2014-03-06 18:23 GMT+01:00 Mark Thomas <ma...@apache.org>:
> On 06/03/2014 17:08, Lukasz Lenart wrote:
>> So who's the reporter?
>
> We (the ASF) know who discovered CVE-2014-0050 but they have not given
> permission to be named. The only public credit information is that which
> was published for CVE-2014-0050.
>
> Mark
>
>>
>> 2014-03-06 16:54 GMT+01:00 Mark Thomas <ma...@apache.org>:
>>> On 06/03/2014 09:04, Lukasz Lenart wrote:
>>>> This release includes important security fixes:
>>>> - S2-020 - ClassLoader manipulation via request parameters
>>>> - upgraded Commons FileUpload library to prevent DoS attacks
>>>>
>>>> * http://struts.apache.org/release/2.3.x/docs/s2-020.html
>>>
>>> Please remove my name from the reporters. I just forwarded the e-mail
>>> that the security team received. I do not deserve any of the credit for
>>> discovering this issue.
>>>
>>> Mark
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: security-unsubscribe@apache.org
>> For additional commands, e-mail: security-help@apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [ANN] Struts 2.3.16.1 GA release available - security fix
Posted by Lukasz Lenart <lu...@apache.org>.
So who's the reporter?
2014-03-06 16:54 GMT+01:00 Mark Thomas <ma...@apache.org>:
> On 06/03/2014 09:04, Lukasz Lenart wrote:
>> This release includes important security fixes:
>> - S2-020 - ClassLoader manipulation via request parameters
>> - upgraded Commons FileUpload library to prevent DoS attacks
>>
>> * http://struts.apache.org/release/2.3.x/docs/s2-020.html
>
> Please remove my name from the reporters. I just forwarded the e-mail
> that the security team received. I do not deserve any of the credit for
> discovering this issue.
>
> Mark
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: [ANN] Struts 2.3.16.1 GA release available - security fix
Posted by Mark Thomas <ma...@apache.org>.
On 06/03/2014 09:04, Lukasz Lenart wrote:
> This release includes important security fixes:
> - S2-020 - ClassLoader manipulation via request parameters
> - upgraded Commons FileUpload library to prevent DoS attacks
>
> * http://struts.apache.org/release/2.3.x/docs/s2-020.html
Please remove my name from the reporters. I just forwarded the e-mail
that the security team received. I do not deserve any of the credit for
discovering this issue.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org