struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lukasz Lenart (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WW-4917) Clarification on security status and support for Struts 2.3
Date Sun, 11 Feb 2018 20:51:00 GMT

    [ https://issues.apache.org/jira/browse/WW-4917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360120#comment-16360120
] 

Lukasz Lenart commented on WW-4917:
-----------------------------------

>From our point of view, 2.3.34 isn't secure enough to be compared with 2.5.x series. There
are important architectural changes in 2.5.x that reduce impact of the potential future security
vulnerabilities. At some point we might only recommend migration to 2.5.x as fixing 2.3.34
won't bo possible.

> Clarification on security status and support for Struts 2.3
> -----------------------------------------------------------
>
>                 Key: WW-4917
>                 URL: https://issues.apache.org/jira/browse/WW-4917
>             Project: Struts 2
>          Issue Type: Task
>          Components: Documentation
>    Affects Versions: 2.3.34
>            Reporter: Richard Taylor
>            Priority: Minor
>              Labels: security
>             Fix For: 2.3.x
>
>
> Hi
>  
> Can you kindly provide clarity as to the exact status of the 2.3 series in terms of ongoing
support and security status.
>  
>  
> On the Struts web page [https://struts.apache.org/]
>  
> I found the statement:
>  
> "It's the latest release of Struts 2.3.x which contains the latest security fixes, read
more in [Announcement|https://struts.apache.org/announce.html#a20170907] or in [Version
notes|https://struts.apache.org/docs/version-notes-2334.html]"
>  
> Yet, on the page at [https://struts.apache.org/releases.html] it is stated that :
>  
> h2. "Prior Releases
> As a courtesy, we retain archival copies of the website for releases that initially were
considered "General Availability" but which has been reclassified as "Not recommended" since
they contain security issues
> "
> And version 2.3.34 is listed here.
>  
>  
> Lastly - I find no EOL announcement for 2.3.x
>  
> So in summary the question is:
>  
> *1 Is the 2.3 series EOL?*
> *2 Does 2.3.34 contain any known security bugs?*
>  
>  
> Thanking you in advance 
>  
> Richard



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message