From commits-return-17977-archive-asf-public=cust-asf.ponee.io@struts.apache.org Wed Aug 22 09:30:58 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id AFF60180662 for ; Wed, 22 Aug 2018 09:30:57 +0200 (CEST) Received: (qmail 74324 invoked by uid 500); 22 Aug 2018 07:30:56 -0000 Mailing-List: contact commits-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list commits@struts.apache.org Received: (qmail 74315 invoked by uid 99); 22 Aug 2018 07:30:56 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Aug 2018 07:30:56 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id B1C9B88C01; Wed, 22 Aug 2018 07:30:55 +0000 (UTC) Date: Wed, 22 Aug 2018 07:30:55 +0000 To: "commits@struts.apache.org" Subject: [struts-site] branch asf-site updated: Updates production by Jenkins MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <153492305565.3991.7391342250620935899@gitbox.apache.org> From: git-site-role@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: struts-site X-Git-Refname: refs/heads/asf-site X-Git-Reftype: branch X-Git-Oldrev: dfe5af90463b40b04a61a59a0dd337188b6dbc8b X-Git-Newrev: 871b9b498d6baefe7f8991bb0c86dd0b8c2ad502 X-Git-Rev: 871b9b498d6baefe7f8991bb0c86dd0b8c2ad502 X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-site by this push: new 871b9b4 Updates production by Jenkins 871b9b4 is described below commit 871b9b498d6baefe7f8991bb0c86dd0b8c2ad502 Author: jenkins AuthorDate: Wed Aug 22 07:30:53 2018 +0000 Updates production by Jenkins --- content/announce.html | 72 +++++++++++++++++++++ content/core-developers/interceptors.html | 2 + content/core-developers/struts-default-xml.html | 2 + content/download.html | 84 ++++++++++++------------- content/index.html | 22 +++---- content/releases.html | 15 ++++- 6 files changed, 143 insertions(+), 54 deletions(-) diff --git a/content/announce.html b/content/announce.html index 32f7605..5faaddd 100644 --- a/content/announce.html +++ b/content/announce.html @@ -130,6 +130,9 @@

Announcements 2018

    +
  • 22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16
    • +
  • 22 August 2018 - Struts 2.5.17 General Availability
    • +
  • 22 August 2018 - Struts 2.3.35 General Availability
  • 27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin
  • 23 March 2018 - Immediately upgrade commons-fileupload to version 1.3.3
  • 16 March 2018 - Struts 2.5.16 General Availability
    • @@ -139,6 +142,75 @@ Skip to: Announcements - 2017

    +

    22 August 2018 - CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16

    + +

    CVEID:CVE-2018-11776

    + +

    PRODUCT:Apache Struts

    + +

    VERSION:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16

    + +

    PROBLEMTYPE:Remote Code Execution

    + +

    REFERENCES:S2-057

    + +

    DESCRIPTION:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 2.3 to 2.3.34 and +2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its +upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action +set and in same time, its upper action(s) have no or wildcard namespace.

    + +

    22 August 2018 - Struts 2.5.17 General Availability

    + +

    The Apache Struts group is pleased to announce that Struts 2.5.17 is available as a “General Availability” +release. The GA designation is our highest quality grade.

    + +

    In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:

    + +
      +
    • Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or +wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - S2-057
      • +
    + +

    Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time.

    + +

    All developers are strongly advised to perform this action.

    + +

    The 2.5.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 7.

    + +

    Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket.

    + +

    You can download this version from our download page.

    + +

    22 August 2018 - Struts 2.3.35 General Availability

    + +

    The Apache Struts group is pleased to announce that Struts 2.3.35 is available as a “General Availability” +release. The GA designation is our highest quality grade.

    + +

    In addition to critical overall proactive security improvements, this release addresses one potential security vulnerability:

    + +
      +
    • Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or +wildcard namespace. Same possibility when using url tag which doesn’t have value and action set. - S2-057
      • +
    + +

    Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. +The framework is designed to streamline the full development cycle, from building, to deploying, +to maintaining applications over time.

    + +

    All developers are strongly advised to perform this action.

    + +

    The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: +Servlet API 2.4, JSP API 2.0, and Java 6.

    + +

    Should any issues arise with your use of any version of the Struts framework, please post your comments +to the user list, and, if appropriate, file a tracking ticket.

    + +

    You can download this version from our download page.

    +

    27 March 2018 - A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin

    The Apache Security Struts Team recommends to immediately upgrade your Struts 2 based projects to use the latest released diff --git a/content/core-developers/interceptors.html b/content/core-developers/interceptors.html index 91095e6..5409037 100644 --- a/content/core-developers/interceptors.html +++ b/content/core-developers/interceptors.html @@ -286,6 +286,7 @@ than reiterate the same list of Interceptors, we can bundle these Interceptors t <!-- this is simpler version of the above used with string comparison --> <constant name="struts.excludedPackageNames" value=" + com.opensymphony.xwork2.ognl., java.lang., ognl., javax, @@ -293,6 +294,7 @@ than reiterate the same list of Interceptors, we can bundle these Interceptors t freemarker.template., freemarker.ext.rhino., freemarker.ext.beans., + sun.misc., sun.reflect., javassist." /> diff --git a/content/core-developers/struts-default-xml.html b/content/core-developers/struts-default-xml.html index 0c0ab39..fab4f27 100644 --- a/content/core-developers/struts-default-xml.html +++ b/content/core-developers/struts-default-xml.html @@ -201,6 +201,7 @@ setting in struts.properties.

    <!-- this is simpler version of the above used with string comparison --> <constant name="struts.excludedPackageNames" value=" + com.opensymphony.xwork2.ognl., java.lang., ognl., javax, @@ -208,6 +209,7 @@ setting in struts.properties.

    freemarker.template., freemarker.ext.rhino., freemarker.ext.beans., + sun.misc., sun.reflect., javassist." /> diff --git a/content/download.html b/content/download.html index 73b1735..715ed20 100644 --- a/content/download.html +++ b/content/download.html @@ -189,26 +189,26 @@

    Full Releases

    -

    Struts 2.5.16

    +

    Struts 2.5.17

    - Apache Struts 2.5.16 is an elegant, extensible + Apache Struts 2.5.17 is an elegant, extensible framework for creating enterprise-ready Java web applications. It is available in a full distribution, or as separate library, source, example and documentation distributions. - Struts 2.5.16 is the "best available" version of Struts in the 2.5 series. + Struts 2.5.17 is the "best available" version of Struts in the 2.5 series.

    -

    Struts 2.3.34

    +

    Struts 2.3.35