Return-Path: Delivered-To: apmail-struts-dev-archive@www.apache.org Received: (qmail 87504 invoked from network); 31 Jul 2008 13:31:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 31 Jul 2008 13:31:39 -0000 Received: (qmail 86759 invoked by uid 500); 31 Jul 2008 13:31:37 -0000 Delivered-To: apmail-struts-dev-archive@struts.apache.org Received: (qmail 86715 invoked by uid 500); 31 Jul 2008 13:31:37 -0000 Mailing-List: contact dev-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Developers List" Reply-To: "Struts Developers List" Delivered-To: mailing list dev@struts.apache.org Received: (qmail 86704 invoked by uid 99); 31 Jul 2008 13:31:36 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 Jul 2008 06:31:36 -0700 X-ASF-Spam-Status: No, hits=3.0 required=10.0 tests=MIME_QP_LONG_LINE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [98.136.44.40] (HELO n60.bullet.mail.sp1.yahoo.com) (98.136.44.40) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 31 Jul 2008 13:30:40 +0000 Received: from [216.252.122.218] by n60.bullet.mail.sp1.yahoo.com with NNFMP; 31 Jul 2008 13:31:06 -0000 Received: from [69.147.84.34] by t3.bullet.sp1.yahoo.com with NNFMP; 31 Jul 2008 13:31:06 -0000 Received: from [127.0.0.1] by omp210.mail.sp1.yahoo.com with NNFMP; 31 Jul 2008 13:31:06 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 61880.65464.bm@omp210.mail.sp1.yahoo.com Received: (qmail 91717 invoked by uid 60001); 31 Jul 2008 13:31:06 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.ca; h=Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=Nu4JxGqWhKQkpNJS8nMIQWEjvyorNK7QgC1VXU+gGcdOYeObdoIfjVBrUBXXsEaI+oJUP9GVPy3EceOeyiopVVVMB0jQCiGQwjU9KKTTvTXJJoXcreiWadI83Sb/SUxfwdYmIZfm0k60XN4i9VE6I+xMrLigmvRuyOJ68LT/hRs=; Received: from [99.254.27.12] by web46104.mail.sp1.yahoo.com via HTTP; Thu, 31 Jul 2008 06:31:05 PDT X-Mailer: YahooMailRC/1042.40 YahooMailWebService/0.7.218 Date: Thu, 31 Jul 2008 06:31:05 -0700 (PDT) From: Struts Two Subject: Re: [ANN] Struts 2.0.11.2 General Availability Release with Important Security Fix To: Struts Developers List MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <970687.23090.qm@web46104.mail.sp1.yahoo.com> X-Virus-Checked: Checked by ClamAV on apache.org Any new on 2.0.12 release that would contain XWork 2.0.6 for Websphere user= s?=0A=0A=0A=0A----- Original Message ----=0AFrom: Rene Gielen =0ATo: Struts Users Mailing List =0ASent: We= dnesday, July 16, 2008 2:40:38 AM=0ASubject: [ANN] Struts 2.0.11.2 General = Availability Release with Important Security Fix=0A=0AApache Struts 2.0.11.= 2 is now available from=0A.=0A=0AThis release is a fast track security fix release, including a sec= urity=0Afixed version 2.0.5 of XWork, which corrects a serious vulnerabilit= y in=0AParametersInterceptor allowing malicious users to remotely change se= rver=0Aside context objects. For more information about the exploit, visit = our=0Asecurity bulletins page at=0A.=0A=0AIMPORTANT ADDITIONAL NOTES:=0AThere are two known issues= with this release:=0A1. the integrated XWork 2.0.5 jar may cause problems = when used in a=0Acombination of WebSphere 6.1 runtime environments with val= idation=0Aconfiguration via XML files.=0APossible Workarounds:=0A- use anno= tation based validation definition instead XML based=0A- stay with Struts 2= ..0.11.1 including XWork 2.0.4, applying the=0A=A0 following exclude rule to= your parameter interceptor refs in=0A=A0 struts.xml=0A=A0 =0A=A0 =A0 =A0 .*[[^\\p{Grap= h}][\\\\#:=3D]].*=0A=A0 =0A2. the filtering mecha= nism implemeted in XWork's ParametersInterceptor=0Ato fix the described sec= urity issue does not completely avoid any=0Apossible malicious parameter na= me.=0APossible Workaround:=0A- apply the following exclude rule to your par= ameter interceptor refs in=0A=A0 struts.xml to avoid the usage of backslash= characters in parameter=0A=A0 names=0A=A0 =0A=A0 =A0 =A0 .*\\.*=0A=A0 =0ABoth issues will be addressed in a soon upcoming XWork 2.0.6 r= elease,=0Afollowed by a new Struts 2.0 GA release including this new XWork = version.=0A=0A* All developers are advised to either update Struts 2 applic= ations to=0AStruts 2.0.11.2 or manually exchange usages of xwork-2.0.x.jar = with the=0Afixed xwork-2.0.5.jar to prevent remotety induced context manipu= lations.=0A=0AFor the complete release notes for Struts 2.0.11.2, see=0A.=0A=0A=0A- T= he Apache Struts Team.=0A=0A=0A=0A=0A=0A-----------------------------------= ----------------------------------=0ATo unsubscribe, e-mail: user-unsubscri= be@struts.apache.org=0AFor additional commands, e-mail: user-help@struts.ap= ache.org=0A=0A=0A ____________________________________________________= ______________=0AGet a sneak peak at messages with a handy reading pane wit= h All new Yahoo! Mail: http://ca.promos.yahoo.com/newmail/overview2/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For additional commands, e-mail: dev-help@struts.apache.org