struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject [VOTE][FASTTRACK] Struts 2.3.29
Date Tue, 14 Jun 2016 07:07:41 GMT
The Struts 2.3.29 test build is now available. It includes the latest
security patch which fixes few possible vulnerabilities:
-  Action name clean up is error prone
- Forced double OGNL evaluation, when evaluated on raw user input in
tag attributes, may lead to remote code execution (similar to S2-029)
- Remote Code Execution can be performed when using REST Plugin.
- It is possible to bypass token validation and perform a CSRF attack
- Getter as action method leads to security bypass
- Input validation bypass using existing default action method.
- Possible DoS attack when using URLValidator

For details and the rationale behind these changes, please consult the
corresponding security bulletins:
* https://cwiki.apache.org/confluence/display/WW/S2-035
* https://cwiki.apache.org/confluence/display/WW/S2-036
* https://cwiki.apache.org/confluence/display/WW/S2-037
* https://cwiki.apache.org/confluence/display/WW/S2-038
* https://cwiki.apache.org/confluence/display/WW/S2-039
* https://cwiki.apache.org/confluence/display/WW/S2-040
* https://cwiki.apache.org/confluence/display/WW/S2-041

Except the above, few other issues were resolved as well:
[WW-4608] - Json result type breaks
[WW-4618] - MessageStorePreResultListener doesn't store messages for
3rd-party RedirectResult subclasses
[WW-4622] - [struts2-tiles-plugin] [2.3.28]
[StrutsWildcardServletTilesApplicationContext] getRealPath
[WW-4623] - Multiple tiles.xml in web.xml
[WW-4624] - New Tiles version can not find tiles*.xml files in sub-directories
[WW-4626] - EmailValidator flags .cat emails as invalid
[WW-4627] - Struts2 JSON Plugin: messages in fieldsErrors are
serialized twice since jdk1.7_80
[WW-4629] - Tile definition Inheritance/overriding is broken in
Struts2 tiles plugin 2.3.28+
[WW-4630] - <s:submit> generates a value attribute for type=image
which violates W3C
[WW-4633] - ClassCastException while generating report using Struts
2.3.28 and jasperreports 4.5.1

Release notes:
* https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.29

Distribution:
* https://dist.apache.org/repos/dist/dev/struts/2.3.29/

Maven 2 staging repository:
* https://repository.apache.org/content/repositories/staging/

Once you have had a chance to review the test build, please respond
with a vote on its quality:

[ ] Leave at test build
[ ] Alpha
[ ] Beta
[ ] General Availability (GA)

Everyone who has tested the build is invited to vote. Votes by PMC
members are considered binding. A vote passes if there are at least
three binding +1s and more +1s than -1s.

This is a "fast-track" release vote. If we have a positive vote after
24 hours (at least three binding +1s and more +1s than -1s),  the
release may be submitted for mirroring and announced to the usual
channels.

The website download link will include the mirroring timestamp
parameter [1], which limits the selection of mirrors to those that
have been refreshed since the indicated time and date. (After 24
hours, we *must* remove the timestamp parameter from the website link,
to avoid unnecessary server load.) In the case of a fast-track
release, the email announcement will not link directly to
<download.cgi>, but to <downloads.html>, so that we can control use of
the timestamp parameter.

[1] http://apache.org/dev/mirrors.html#use

- The Apache Struts group.


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org


Mime
View raw message