struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Huber <gregh3...@gmail.com>
Subject Re: [VOTE][FASTTRACK] Struts 2.3.29
Date Wed, 22 Jun 2016 08:37:48 GMT
As there are web.xml, struts.xml and dtd changes for v2.5, testing prior
releases is problematic, so best to switch to the latest versions if
upgrading.  Also latest versions will get more much testing.

Cheers Greg

On 22 June 2016 at 09:28, Lukasz Lenart <lukaszlenart@apache.org> wrote:

> The vote is closed but it would be good if you could next time help us
> testing a new release.
>
>
> Thanks in advance
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> 2016-06-21 16:15 GMT+02:00 dario.liberman@javelingroup.com
> <dario.liberman@javelingroup.com>:
> > -1
> >
> > Hi,
> >
> > Should 2.3.29 be recalled based on the regressions found for all Struts
> tag name attribute expressions?
> > See: https://issues.apache.org/jira/browse/WW-4641
> >
> > Regards,
> >
> > Dario dot Liberman at JavelinGroup dot com
> >
> > On 2016-06-14 08:07 (+0100), Lukasz Lenart <lukaszlenart@apache.org>
> wrote:
> >> The Struts 2.3.29 test build is now available. It includes the latest
> >> security patch which fixes few possible vulnerabilities:
> >> -  Action name clean up is error prone
> >> - Forced double OGNL evaluation, when evaluated on raw user input in
> >> tag attributes, may lead to remote code execution (similar to S2-029)
> >> - Remote Code Execution can be performed when using REST Plugin.
> >> - It is possible to bypass token validation and perform a CSRF attack
> >> - Getter as action method leads to security bypass
> >> - Input validation bypass using existing default action method.
> >> - Possible DoS attack when using URLValidator
> >>
> >> For details and the rationale behind these changes, please consult the
> >> corresponding security bulletins:
> >> * https://cwiki.apache.org/confluence/display/WW/S2-035
> >> * https://cwiki.apache.org/confluence/display/WW/S2-036
> >> * https://cwiki.apache.org/confluence/display/WW/S2-037
> >> * https://cwiki.apache.org/confluence/display/WW/S2-038
> >> * https://cwiki.apache.org/confluence/display/WW/S2-039
> >> * https://cwiki.apache.org/confluence/display/WW/S2-040
> >> * https://cwiki.apache.org/confluence/display/WW/S2-041
> >>
> >> Except the above, few other issues were resolved as well:
> >> [WW-4608] - Json result type breaks
> >> [WW-4618] - MessageStorePreResultListener doesn't store messages for
> >> 3rd-party RedirectResult subclasses
> >> [WW-4622] - [struts2-tiles-plugin] [2.3.28]
> >> [StrutsWildcardServletTilesApplicationContext] getRealPath
> >> [WW-4623] - Multiple tiles.xml in web.xml
> >> [WW-4624] - New Tiles version can not find tiles*.xml files in
> sub-directories
> >> [WW-4626] - EmailValidator flags .cat emails as invalid
> >> [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are
> >> serialized twice since jdk1.7_80
> >> [WW-4629] - Tile definition Inheritance/overriding is broken in
> >> Struts2 tiles plugin 2.3.28+
> >> [WW-4630] - <s:submit> generates a value attribute for type=image
> >> which violates W3C
> >> [WW-4633] - ClassCastException while generating report using Struts
> >> 2.3.28 and jasperreports 4.5.1
> >>
> >> Release notes:
> >> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.29
> >>
> >> Distribution:
> >> * https://dist.apache.org/repos/dist/dev/struts/2.3.29/
> >>
> >> Maven 2 staging repository:
> >> * https://repository.apache.org/content/repositories/staging/
> >>
> >> Once you have had a chance to review the test build, please respond
> >> with a vote on its quality:
> >>
> >> [ ] Leave at test build
> >> [ ] Alpha
> >> [ ] Beta
> >> [ ] General Availability (GA)
> >>
> >> Everyone who has tested the build is invited to vote. Votes by PMC
> >> members are considered binding. A vote passes if there are at least
> >> three binding +1s and more +1s than -1s.
> >>
> >> This is a "fast-track" release vote. If we have a positive vote after
> >> 24 hours (at least three binding +1s and more +1s than -1s),  the
> >> release may be submitted for mirroring and announced to the usual
> >> channels.
> >>
> >> The website download link will include the mirroring timestamp
> >> parameter [1], which limits the selection of mirrors to those that
> >> have been refreshed since the indicated time and date. (After 24
> >> hours, we *must* remove the timestamp parameter from the website link,
> >> to avoid unnecessary server load.) In the case of a fast-track
> >> release, the email announcement will not link directly to
> >> <download.cgi>, but to <downloads.html>, so that we can control
use of
> >> the timestamp parameter.
> >>
> >> [1] http://apache.org/dev/mirrors.html#use
> >>
> >> - The Apache Struts group.
> >>
> >>
> >> Regards
> >> --
> >> Łukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message