struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Confusion on Security Bulletin fix versions
Date Wed, 27 Apr 2016 05:24:26 GMT
2016-04-27 1:04 GMT+02:00 Doug Erickson <doug.erickson@part.net>:
> On the Struts home page, it says, "We have released two older versions of
> Apache Struts which *contain the latest security fixes.* Please read
> announcement for* 2.3.20.3* ..."
>
> Those notes say, "This release addresses *two* potential security
> vulnerabilities," and then lists three issues, S2-029, S2-031, and S2-032.

Fixed, it supposed to be "three"

> The notes for S2-029 say to use version 2.3.28, and the notes for S2-031
> and S2-032 say to use version 2.3.20*.2. *S2-030 only mentions 2.3.28.

Also fixed, there was a bug discovered in 2.3.20.2 and 2.3.20.2 and
that's why new versions were released - 2.3.20.3 & 2.3.24.3

> I really appreciate the maintenance of the older releases. Specifically,
> changes in OGNL 3.0.13 cause some failures that are hard to find
> statically, and perhaps other incompatibilities lurk in newer versions.

Yes, that was the main reason to release also two older versions which
already use Internal Security Mechanism. The changes in OGNL play
nicely with it.

> I am safe to take the announcement at face value, and assume that 2.3.20.3
> contains fixes for all known vulnerabilities, disregarding the details of
> the bulletins themselves? Is there a plan to provide security updates for
> 2.3.20 and 2.3.24? How long will they be supported?

Not exactly, S2-030 wasn't addressed in 2.3.20.3 and 2.3.24.3 as we
assumed it is a low risk vulnerability and in most cases everybody is
using UTF-8 encoding or latest Java version.

There is no plans to support 2.3.20.x and 2.3.24.x in the future, we
assume that each user should migrate to the latest available version
in 2.3.x branch which is 2.3.28.1.
2.3.20.3 & 2.3.24.3 were released as the fix was quite easy and should
secure users for long time against possible further RCE attacks (the
same as Internal Security Mechanism). And those versions are used the
most (I mean 2.3.20 & 2.3.24) based on Maven Central statistics.


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message