Return-Path: X-Original-To: apmail-struts-dev-archive@www.apache.org Delivered-To: apmail-struts-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BFC0EDFD6 for ; Fri, 24 May 2013 21:36:28 +0000 (UTC) Received: (qmail 2122 invoked by uid 500); 24 May 2013 21:36:28 -0000 Delivered-To: apmail-struts-dev-archive@struts.apache.org Received: (qmail 2093 invoked by uid 500); 24 May 2013 21:36:28 -0000 Mailing-List: contact dev-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Developers List" Reply-To: "Struts Developers List" Delivered-To: mailing list dev@struts.apache.org Received: (qmail 2074 invoked by uid 99); 24 May 2013 21:36:28 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 May 2013 21:36:28 +0000 X-ASF-Spam-Status: No, hits=0.0 required=5.0 tests= X-Spam-Check-By: apache.org Received-SPF: error (nike.apache.org: local policy) Received: from [85.214.44.140] (HELO e.nrgie.net) (85.214.44.140) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 May 2013 21:36:20 +0000 Received: from Renes-MacBook-Pro.local (p508A0A96.dip0.t-ipconnect.de [80.138.10.150]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by e.nrgie.net (Postfix) with ESMTP id 5CB1DEFCC7E for ; Sat, 25 May 2013 00:26:49 +0200 (CEST) Message-ID: <519FDD2A.7060306@apache.org> Date: Fri, 24 May 2013 23:35:38 +0200 From: Rene Gielen User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: Struts Developers List Subject: [VOTE] Struts 2.3.14.2 quality (fast track) Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org The Struts 2.3.14.2 test build is now available. It includes the latest security patches which fix possible vulnerabilities: * OGNL evaluation for included URL parameters has been dropped For details and the rationale behind these changes, please consult the corresponding security bulletin: * https://cwiki.apache.org/confluence/display/WW/S2-014 Please note that currently these bulletins and the release notes are only visible to logged-in users with the struts-committer role. This is a needed requirement to control disclosure until the actual release is announced. Release notes: * [https://cwiki.apache.org/confluence/displa/WW/Version+Notes+2.3.14.2] Distribution: * [http://people.apache.org/builds/struts/2.3.14.2/] Maven 2 staging repository: * [https://repository.apache.org/content/groups/staging/] Once you have had a chance to review the test build, please respond with a vote on its quality: [ ] Leave at test build [ ] Alpha [ ] Beta [ ] General Availability (GA) Everyone who has tested the build is invited to vote. Votes by PMC members are considered binding. A vote passes if there are at least three binding +1s and more +1s than -1s. This is a "fast-track" release vote. If we have a positive vote after 24 hours (at least three binding +1s and more +1s than -1s), the release may be submitted for mirroring and announced to the usual channels. The website download link will include the mirroring timestamp parameter [1], which limits the selection of mirrors to those that have been refreshed since the indicated time and date. (After 24 hours, we *must* remove the timestamp parameter from the website link, to avoid unnecessary server load.) In the case of a fast-track release, the email announcement will not link directly to , but to , so that we can control use of the timestamp parameter. [1] http://apache.org/dev/mirrors.html#use -- Ren� Gielen http://twitter.com/rgielen --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org For additional commands, e-mail: dev-help@struts.apache.org