struts-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lukaszlen...@apache.org
Subject svn commit: r1015450 - in /websites/production/struts/content: announce.html docs/s2-049.html index.html
Date Fri, 14 Jul 2017 06:24:31 GMT
Author: lukaszlenart
Date: Fri Jul 14 06:24:31 2017
New Revision: 1015450

Log:
Updates production

Modified:
    websites/production/struts/content/announce.html
    websites/production/struts/content/docs/s2-049.html
    websites/production/struts/content/index.html

Modified: websites/production/struts/content/announce.html
==============================================================================
--- websites/production/struts/content/announce.html (original)
+++ websites/production/struts/content/announce.html Fri Jul 14 06:24:31 2017
@@ -127,6 +127,7 @@
 
 <ul id="markdown-toc">
   <li><a href="#a20170717" id="markdown-toc-a20170717">17 July 2017 - Struts
2.5.12 General Availability</a></li>
+  <li><a href="#a20170717-2" id="markdown-toc-a20170717-2">17 July 2017 - Struts
2.3.33 General Availability</a></li>
   <li><a href="#a20170707" id="markdown-toc-a20170707">9 July 2017 - Possible
RCE in the Struts Showcase app in the Struts 1 plugin example in the Struts 2.3.x series</a></li>
   <li><a href="#a20170323" id="markdown-toc-a20170323">23 march 2017 - Struts
Extras secure Multipart plugins General Availability - versions 1.1</a></li>
   <li><a href="#a20170320" id="markdown-toc-a20170320">20 march 2017 - Struts
Extras secure Multipart plugins General Availability</a></li>
@@ -154,7 +155,7 @@ to maintaining applications over time.</
   <li><a href="/docs/s2-047.html">S2-047</a>
 Possible DoS attack when using URLValidator</li>
   <li><a href="/docs/s2-049.html">S2-049</a>
-A DoS attack is available for Spring secured actions,</li>
+A DoS attack is available for Spring secured actions</li>
 </ul>
 
 <p>Except the above this release also contains several improvements just to mention
few of them:</p>
@@ -218,6 +219,42 @@ to the user list, and, if appropriate, f
 
 <p>You can download this version from our <a href="download.cgi#struts-ga">download</a>
page.</p>
 
+<h4 id="a20170717-2">17 July 2017 - Struts 2.3.33 General Availability</h4>
+
+<p>The Apache Struts group is pleased to announce that Struts 2.3.32 is available as
a “General Availability”
+release. The GA designation is our highest quality grade.</p>
+
+<p>This release addresses two potential security vulnerabilities:</p>
+
+<ul>
+  <li><a href="/docs/s2-049.html">S2-049</a>
+A DoS attack is available for Spring secured actions</li>
+  <li><a href="/docs/s2-048.html">S2-048</a>
+Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series</li>
+</ul>
+
+<p>Also this version resolves the following issues:</p>
+
+<ul>
+  <li><code class="highlighter-rouge">EmailValidator</code> does not accept
new domain suffixes</li>
+  <li>Revision number still missing from <code class="highlighter-rouge">dojo.js</code>
and <code class="highlighter-rouge">dojo.js.uncompressed.js</code></li>
+  <li>Strange Behavior Parsing Action Requests</li>
+</ul>
+
+<p>Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready
Java web applications.
+The framework is designed to streamline the full development cycle, from building, to deploying,
+to maintaining applications over time.</p>
+
+<p><strong>All developers are strongly advised to perform this action.</strong></p>
+
+<p>The 2.3.x series of the Apache Struts framework has a minimum requirement of the
following specification versions:
+Servlet API 2.4, JSP API 2.0, and Java 6.</p>
+
+<p>Should any issues arise with your use of any version of the Struts framework, please
post your comments
+to the user list, and, if appropriate, file a tracking ticket.</p>
+
+<p>You can download this version from our <a href="download.cgi#struts-23x">download</a>
page.</p>
+
 <h4 id="a20170707">9 July 2017 - Possible RCE in the Struts Showcase app in the Struts
1 plugin example in the Struts 2.3.x series</h4>
 
 <p>A potential security vulnerability was reported in the Struts 1 plugin used in the
Struts 2.3.x series.

Modified: websites/production/struts/content/docs/s2-049.html
==============================================================================
--- websites/production/struts/content/docs/s2-049.html (original)
+++ websites/production/struts/content/docs/s2-049.html Fri Jul 14 06:24:31 2017
@@ -139,7 +139,7 @@ under the License.
 
     <div class="pagecontent">
         <div class="wiki-content">
-            <div id="ConfluenceContent"><h2 id="S2-049-Summary">Summary</h2>A
DoS attack is available for Spring secured actions<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who
should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All
Struts 2 developers and users</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>A DoS attack is available for Spring
secured actions</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum
security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2512.html">Struts
2.5.12</a></p></td></tr><tr><th colspan="1" rowspan="1" class
 ="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.5 -<span style="color: rgb(23,35,59);"> Struts
2.5.10.1</span></p></td></tr><tr><th colspan="1" rowspan="1"
class="confluenceTh"><p>Reporter</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p><span class="Apple-tab-span">&#160;</span>Yasser
Zamani &lt;yasser dot zamani at live dot com&gt;</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>&#160;</p></td></tr></tbody></table></div><h2
id="S2-049-Problem">Problem</h2><p>When using a Spring AOP functionality to
secure Struts actions it is possible to perform a DoS attack when user was properly authenticated</p><p><span
style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts
version 2.5.12.</p><h2 id="S2-049-Backwardcompatibility">Backward compatibility</h2><p>No
backward incompatibility issues are expected.</p><h2
  id="S2-049-Workaround">Workaround</h2><p>Please define the below constant
in a <code>struts.xml</code>&#160;file:</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+            <div id="ConfluenceContent"><h2 id="S2-049-Summary">Summary</h2>A
DoS attack is available for Spring secured actions<div class="table-wrap"><table
class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Who
should read this</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>All
Struts 2 developers and users</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>Impact of vulnerability</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>A DoS attack is available for Spring
secured actions</p></td></tr><tr><th colspan="1" rowspan="1" class="confluenceTh"><p>Maximum
security rating</p></th><td colspan="1" rowspan="1" class="confluenceTd"><p>Medium</p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Recommendation</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Upgrade to <a shape="rect" href="version-notes-2512.html">Struts
2.5.12</a></p></td></tr><tr><th colspan="1" rowspan="1" class
 ="confluenceTh"><p>Affected Software</p></th><td colspan="1" rowspan="1"
class="confluenceTd"><p>Struts 2.3.7 - Struts 2.3.32, Struts 2.5 -<span style="color:
rgb(23,35,59);"> Struts 2.5.10.1</span></p></td></tr><tr><th
colspan="1" rowspan="1" class="confluenceTh"><p>Reporter</p></th><td
colspan="1" rowspan="1" class="confluenceTd"><p>Yasser Zamani &lt;yasser dot
zamani at live dot com&gt;</p></td></tr><tr><th colspan="1"
rowspan="1" class="confluenceTh"><p>CVE Identifier</p></th><td colspan="1"
rowspan="1" class="confluenceTd"><p>CVE-2017-9787</p></td></tr></tbody></table></div><h2
id="S2-049-Problem">Problem</h2><p>When using a Spring AOP functionality to
secure Struts actions it is possible to perform a DoS attack when user was properly authenticated</p><p><span
style="font-size: 20.0px;">Solution</span></p><p>Upgrade to Apache Struts
version 2.5.12 or 2.3.33.</p><h2 id="S2-049-Backwardcompatibility">Backward compatibility</h2><p>No
backward incompatibility issues are expected.</
 p><h2 id="S2-049-Workaround">Workaround</h2><p>Please define the below
constant in a <code>struts.xml</code>&#160;file:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;constant
name="struts.additional.excludedPatterns" value=".\.accessDecisionManager\.." /&gt;</pre>
 </div></div><p>&#160;</p><p>&#160;</p></div>
         </div>

Modified: websites/production/struts/content/index.html
==============================================================================
--- websites/production/struts/content/index.html (original)
+++ websites/production/struts/content/index.html Fri Jul 14 06:24:31 2017
@@ -157,11 +157,11 @@
         <a href="/docs/version-notes-2512.html">Version notes</a>
       </div>
       <div class="column col-md-4">
-        <h2>Apache Struts 2.3.32 GA</h2>
+        <h2>Apache Struts 2.3.33 GA</h2>
         <p>
           It's the latest release of Struts 2.3.x which contains the latest security fix,
-          read more in <a href="announce.html#a20170307-2">Announcement</a> or
in
-          <a href="/docs/version-notes-2332.html">Version notes</a>
+          read more in <a href="announce.html#a20170717-2">Announcement</a> or
in
+          <a href="/docs/version-notes-2333.html">Version notes</a>
         </p>
       </div>
     </div>



Mime
View raw message