struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: [VOTE][FASTTRACK] Struts 2.3.29
Date Wed, 22 Jun 2016 08:28:36 GMT
The vote is closed but it would be good if you could next time help us
testing a new release.


Thanks in advance
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

2016-06-21 16:15 GMT+02:00 dario.liberman@javelingroup.com
<dario.liberman@javelingroup.com>:
> -1
>
> Hi,
>
> Should 2.3.29 be recalled based on the regressions found for all Struts tag name attribute
expressions?
> See: https://issues.apache.org/jira/browse/WW-4641
>
> Regards,
>
> Dario dot Liberman at JavelinGroup dot com
>
> On 2016-06-14 08:07 (+0100), Lukasz Lenart <lukaszlenart@apache.org> wrote:
>> The Struts 2.3.29 test build is now available. It includes the latest
>> security patch which fixes few possible vulnerabilities:
>> -  Action name clean up is error prone
>> - Forced double OGNL evaluation, when evaluated on raw user input in
>> tag attributes, may lead to remote code execution (similar to S2-029)
>> - Remote Code Execution can be performed when using REST Plugin.
>> - It is possible to bypass token validation and perform a CSRF attack
>> - Getter as action method leads to security bypass
>> - Input validation bypass using existing default action method.
>> - Possible DoS attack when using URLValidator
>>
>> For details and the rationale behind these changes, please consult the
>> corresponding security bulletins:
>> * https://cwiki.apache.org/confluence/display/WW/S2-035
>> * https://cwiki.apache.org/confluence/display/WW/S2-036
>> * https://cwiki.apache.org/confluence/display/WW/S2-037
>> * https://cwiki.apache.org/confluence/display/WW/S2-038
>> * https://cwiki.apache.org/confluence/display/WW/S2-039
>> * https://cwiki.apache.org/confluence/display/WW/S2-040
>> * https://cwiki.apache.org/confluence/display/WW/S2-041
>>
>> Except the above, few other issues were resolved as well:
>> [WW-4608] - Json result type breaks
>> [WW-4618] - MessageStorePreResultListener doesn't store messages for
>> 3rd-party RedirectResult subclasses
>> [WW-4622] - [struts2-tiles-plugin] [2.3.28]
>> [StrutsWildcardServletTilesApplicationContext] getRealPath
>> [WW-4623] - Multiple tiles.xml in web.xml
>> [WW-4624] - New Tiles version can not find tiles*.xml files in sub-directories
>> [WW-4626] - EmailValidator flags .cat emails as invalid
>> [WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are
>> serialized twice since jdk1.7_80
>> [WW-4629] - Tile definition Inheritance/overriding is broken in
>> Struts2 tiles plugin 2.3.28+
>> [WW-4630] - <s:submit> generates a value attribute for type=image
>> which violates W3C
>> [WW-4633] - ClassCastException while generating report using Struts
>> 2.3.28 and jasperreports 4.5.1
>>
>> Release notes:
>> * https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.29
>>
>> Distribution:
>> * https://dist.apache.org/repos/dist/dev/struts/2.3.29/
>>
>> Maven 2 staging repository:
>> * https://repository.apache.org/content/repositories/staging/
>>
>> Once you have had a chance to review the test build, please respond
>> with a vote on its quality:
>>
>> [ ] Leave at test build
>> [ ] Alpha
>> [ ] Beta
>> [ ] General Availability (GA)
>>
>> Everyone who has tested the build is invited to vote. Votes by PMC
>> members are considered binding. A vote passes if there are at least
>> three binding +1s and more +1s than -1s.
>>
>> This is a "fast-track" release vote. If we have a positive vote after
>> 24 hours (at least three binding +1s and more +1s than -1s),  the
>> release may be submitted for mirroring and announced to the usual
>> channels.
>>
>> The website download link will include the mirroring timestamp
>> parameter [1], which limits the selection of mirrors to those that
>> have been refreshed since the indicated time and date. (After 24
>> hours, we *must* remove the timestamp parameter from the website link,
>> to avoid unnecessary server load.) In the case of a fast-track
>> release, the email announcement will not link directly to
>> <download.cgi>, but to <downloads.html>, so that we can control use of
>> the timestamp parameter.
>>
>> [1] http://apache.org/dev/mirrors.html#use
>>
>> - The Apache Struts group.
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message