Return-Path: X-Original-To: apmail-struts-user-archive@www.apache.org Delivered-To: apmail-struts-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 47DF41917D for ; Wed, 27 Apr 2016 05:24:49 +0000 (UTC) Received: (qmail 3552 invoked by uid 500); 27 Apr 2016 05:24:47 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 3431 invoked by uid 500); 27 Apr 2016 05:24:47 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 3420 invoked by uid 99); 27 Apr 2016 05:24:47 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Apr 2016 05:24:47 +0000 Received: from mail-wm0-f54.google.com (mail-wm0-f54.google.com [74.125.82.54]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 2A10F1A0163 for ; Wed, 27 Apr 2016 05:24:47 +0000 (UTC) Received: by mail-wm0-f54.google.com with SMTP id v200so25554577wmv.1 for ; Tue, 26 Apr 2016 22:24:47 -0700 (PDT) X-Gm-Message-State: AOPr4FWzw2kF8G5wP9jChuOuhvMm4DI43xzl6Q6Bnulb0lK1wZkbe8Qt+BkI2zF0/P729bHu4i+TIfb4XLETJw== X-Received: by 10.28.39.5 with SMTP id n5mr21979824wmn.13.1461734685734; Tue, 26 Apr 2016 22:24:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.108.133 with HTTP; Tue, 26 Apr 2016 22:24:26 -0700 (PDT) In-Reply-To: References: From: Lukasz Lenart Date: Wed, 27 Apr 2016 07:24:26 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Confusion on Security Bulletin fix versions To: Struts Users Mailing List Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable 2016-04-27 1:04 GMT+02:00 Doug Erickson : > On the Struts home page, it says, "We have released two older versions of > Apache Struts which *contain the latest security fixes.* Please read > announcement for* 2.3.20.3* ..." > > Those notes say, "This release addresses *two* potential security > vulnerabilities," and then lists three issues, S2-029, S2-031, and S2-032= . Fixed, it supposed to be "three" > The notes for S2-029 say to use version 2.3.28, and the notes for S2-031 > and S2-032 say to use version 2.3.20*.2. *S2-030 only mentions 2.3.28. Also fixed, there was a bug discovered in 2.3.20.2 and 2.3.20.2 and that's why new versions were released - 2.3.20.3 & 2.3.24.3 > I really appreciate the maintenance of the older releases. Specifically, > changes in OGNL 3.0.13 cause some failures that are hard to find > statically, and perhaps other incompatibilities lurk in newer versions. Yes, that was the main reason to release also two older versions which already use Internal Security Mechanism. The changes in OGNL play nicely with it. > I am safe to take the announcement at face value, and assume that 2.3.20.= 3 > contains fixes for all known vulnerabilities, disregarding the details of > the bulletins themselves? Is there a plan to provide security updates for > 2.3.20 and 2.3.24? How long will they be supported? Not exactly, S2-030 wasn't addressed in 2.3.20.3 and 2.3.24.3 as we assumed it is a low risk vulnerability and in most cases everybody is using UTF-8 encoding or latest Java version. There is no plans to support 2.3.20.x and 2.3.24.x in the future, we assume that each user should migrate to the latest available version in 2.3.x branch which is 2.3.28.1. 2.3.20.3 & 2.3.24.3 were released as the fix was quite easy and should secure users for long time against possible further RCE attacks (the same as Internal Security Mechanism). And those versions are used the most (I mean 2.3.20 & 2.3.24) based on Maven Central statistics. Regards --=20 =C5=81ukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org