struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gokul Raj <vgokul...@gmail.com>
Subject Re: [ANN] Apache Struts 2.3.35 GA with Security Fixes Release
Date Thu, 23 Aug 2018 06:00:42 GMT
Should we update dependancy jar or is that okay to update only struts core
jar?

On Wed, 22 Aug 2018 at 13:05, Yasser Zamani <yasserzamani@apache.org> wrote:

> The Apache Struts group is pleased to announce that Struts 2.3.35 is
> available as a “General Availability” release. The GA designation is
> our highest quality grade.
>
> In addition to critical overall proactive security improvements, this
> release addresses one potential security vulnerability:
> - Possible Remote Code Execution when using results with no namespace
> and in same time, its upper action(s) have no or wildcard namespace.
> Same possibility when using url tag which doesn’t have value and action
> set. - S2-057 -
> http://struts.apache.org/docs/s2-057.html
>
> Apache Struts 2 is an elegant, extensible framework for creating
> enterprise-ready Java web applications. The framework is designed to
> streamline the full development cycle, from building, to deploying, to
> maintaining applications over time.
>
> All developers are strongly advised to perform this action.
>
> The 2.3.x series of the Apache Struts framework has a minimum
> requirement of the following specification versions: Servlet API 2.4,
> JSP API 2.0, and Java 6.
>
> Should any issues arise with your use of any version of the Struts
> framework, please post your comments to the user list, and, if
> appropriate, file a tracking ticket.
>
> You can download this version from our download page.
> http://struts.apache.org/download.cgi#struts-23x
>
>
> Regards.
>


-- 

Regards
Gokul

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message