From commits-return-17977-archive-asf-public=cust-asf.ponee.io@struts.apache.org Wed Aug 22 09:30:58 2018
Return-Path: Announcements 2018
+
CVEID:CVE-2018-11776
+ +PRODUCT:Apache Struts
+ +VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16
+ +PROBLEMTYPE:Remote Code Execution
+ +REFERENCES:S2-057
+ +DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 2.3 to 2.3.34 and +2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its +upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action +set and in same time, its upper action(s) have no or wildcard namespace.
+ +The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a “General Availability” +release. The GA designation is our highest quality grade.
+ +In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:
+ +Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time.
+ +All developers are strongly advised to perform this action.
+ +The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 7.
+ +Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket.
+ +You can download this version from our download page.
+ +The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a “General Availability” +release. The GA designation is our highest quality grade.
+ +In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:
+ +Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time.
+ +All developers are strongly advised to perform this action.
+ +The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 6.
+ +Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket.
+ +You can download this version from our download page.
+The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released diff --git a/content/core-developers/interceptors.html b/content/core-developers/interceptors.html index 91095e6..5409037 100644 --- a/content/core-developers/interceptors.html +++ b/content/core-developers/interceptors.html @@ -286,6 +286,7 @@ than reiterate the same list of Interceptors, we can bundle these Interceptors t <!-- this is simpler version of the above used with string comparison --> <constant name="struts.excludedPackageNames" value=" + com.opensymphony.xwork2.ognl., java.lang., ognl., javax, @@ -293,6 +294,7 @@ than reiterate the same list of Interceptors, we can bundle these Interceptors t freemarker.template., freemarker.ext.rhino., freemarker.ext.beans., + sun.misc., sun.reflect., javassist." /> diff --git a/content/core-developers/struts-default-xml.html b/content/core-developers/struts-default-xml.html index 0c0ab39..fab4f27 100644 --- a/content/core-developers/struts-default-xml.html +++ b/content/core-developers/struts-default-xml.html @@ -201,6 +201,7 @@ setting in struts.properties.
<!-- this is simpler version of the above used with string comparison --> <constant name="struts.excludedPackageNames" value=" + com.opensymphony.xwork2.ognl., java.lang., ognl., javax, @@ -208,6 +209,7 @@ setting in struts.properties. freemarker.template., freemarker.ext.rhino., freemarker.ext.beans., + sun.misc., sun.reflect., javassist." /> diff --git a/content/download.html b/content/download.html index 73b1735..715ed20 100644 --- a/content/download.html +++ b/content/download.html @@ -189,26 +189,26 @@- Apache Struts 2.5.16 is an elegant, extensible + Apache Struts 2.5.17 is an elegant, extensible framework for creating enterprise-ready Java web applications. It is available in a full distribution, or as separate library, source, example and documentation distributions. - Struts 2.5.16 is the "best available" version of Struts in the 2.5 series. + Struts 2.5.17 is the "best available" version of Struts in the 2.5 series.
- Apache Struts 2.5.16 GA has been released
on 16 March 2018.
+ Apache Struts 2.5.17 GA has been released
on 22 August 2018.
It's the latest release of Struts 2.3.x which contains the latest security fixes,
- read more in Announcement or in
- Version notes
+ released on 22 August 2018.
Read more in Announcement or in
+ Version notes
The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use - the latest released version of the Apache Struts to prevent possible DoS attack when using the REST plugin. - Announcement + the latest released version of the Apache Struts to prevent possible RCE attack when using results with no namespace, + reported in S2-057. Read more in Announcement.