struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: Security vulnerability process for EOL versions
Date Thu, 14 Sep 2017 07:13:23 GMT
2017-09-13 18:57 GMT+02:00 Lehmer, Jason <Jason.Lehmer@capella.edu>:
> In cases where the Struts community is notified or discovers a security vulnerability
in a supported version, does the evaluation process include identifying unsupported versions
that may be impacted as well? I realize the recommendation will likely be to upgrade to a
supported version but I just wanted to confirm that even EOL versions are taken into account
when identifying potential impacts.

We support two lines now:
- 2.3.x where you can expect only security fixes and small
improvements (mostly incorporated from the main line)
- 2.5.x our main line, with security fixes and new features

When verifying a vulnerability report we try to investigate which
versions are affected down the line but we omit EOLed versions (in
this case Struts 1).


Regards
-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message