Struts up to 2.3.16.1: Zero-Day Exploit Mitigation!

In Struts 2.3.16.1, an issue with ClassLoader manipulation via request parameters was supposed to be resolved. Unfortunately, - the correction wasn't sufficient, read more +

Google's Patch Rewards program

During SFHTML5 Google announced that they extend their program + to cover the Apache Struts project as well. Now you can earn some many preparing patches for us! + read more

Modified: websites/production/struts/content/submitting-patches.html ============================================================================== --- websites/production/struts/content/submitting-patches.html (original) +++ websites/production/struts/content/submitting-patches.html Sat Jun 7 09:41:03 2014 @@ -182,6 +182,34 @@ your fork and branch to compare the diff

Git at Apache

Google's Patch Reward program

+ +

During SFHTML5 Google announced that they adding the Apache Struts project to +the Google's Security Patch Reward Program.

+ +

What does it mean?

+ +

If you prepared a patch that eliminates a security vulnerability or improves existing security mechanism +you can get a bounty :-) You will find more details on +the Google's blog + or under the link above, just to give you a quick guideline how does it work:

+ +

prepare a patch and submit it to our JIRA, +it can be a Pull Request on GitHub as well, but must reference the JIRA ticket.
let us know that you did something great, post a message to Struts Dev mailing list
we will review the patch and if it's a real great thing then we will merge it into our code base
just wait on official release of the Apache Struts and now you can request the reward from Google :-)

+ +

NOTE

+ +

If you are concerned that your patch can disclose a security vulnerability, instead of submitting it as a ticket, +send it directly to the Struts Security team. This will give us the possibility +to prepare a new release with your patch in secret.

+ +

Have fun and code!