From commits-return-19398-archive-asf-public=cust-asf.ponee.io@struts.apache.org Tue Dec 8 07:03:26 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) by mx-eu-01.ponee.io (Postfix) with ESMTPS id 9D49718066D for ; Tue, 8 Dec 2020 08:03:26 +0100 (CET) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with SMTP id 3B98247F3E for ; Tue, 8 Dec 2020 07:02:50 +0000 (UTC) Received: (qmail 45871 invoked by uid 500); 8 Dec 2020 07:02:49 -0000 Mailing-List: contact commits-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list commits@struts.apache.org Received: (qmail 45858 invoked by uid 99); 8 Dec 2020 07:02:49 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Dec 2020 07:02:49 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 9C9BF81ADE; Tue, 8 Dec 2020 07:02:49 +0000 (UTC) Date: Tue, 08 Dec 2020 07:02:49 +0000 To: "commits@struts.apache.org" Subject: [struts-site] branch asf-site updated: Automatic Site Publish by Buildbot MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <160741096956.4464.15348072913747009048@gitbox.apache.org> From: git-site-role@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: struts-site X-Git-Refname: refs/heads/asf-site X-Git-Reftype: branch X-Git-Oldrev: 15bd0e5fdc990f0e11c54fb595de2d859d229a14 X-Git-Newrev: f9eff74d820f26115e541658f8eb99e64ad9a9ef X-Git-Rev: f9eff74d820f26115e541658f8eb99e64ad9a9ef X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/struts-site.git The following commit(s) were added to refs/heads/asf-site by this push: new f9eff74 Automatic Site Publish by Buildbot f9eff74 is described below commit f9eff74d820f26115e541658f8eb99e64ad9a9ef Author: buildbot AuthorDate: Tue Dec 8 07:02:45 2020 +0000 Automatic Site Publish by Buildbot --- output/announce.html | 27 +++++++++++++++++++++++++++ output/index.html | 6 +++--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/output/announce.html b/output/announce.html index ec1c806..9dcb38d 100644 --- a/output/announce.html +++ b/output/announce.html @@ -132,6 +132,7 @@

Announcements 2020

    +
  • 08 December 2020 - Potential RCE when using forced evaluation - CVE-2020-17530
  • 06 December 2020 - Struts 2.5.26 General Availability
  • 28 September 2020 - Struts 2.5.25 General Availability
  • 13 August 2020 - Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues
    • @@ -141,6 +142,32 @@ Skip to: Announcements - 2019

    +

    08 December 2020 - Potential RCE when using forced evaluation - CVE-2020-17530

    + +

    The Apache Struts Security team would like to announce that forced OGNL evaluation, when evaluated on raw user input +in tag attributes, may lead to remote code execution.

    + +

    Problem

    + +

    Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation +by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution +and security degradation.

    + +

    Solution

    + +

    Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26 which checks if expression +evaluation won’t lead to the double evaluation.

    + +

    Please read our Security Bulletin S2-061 for more details.

    + +

    This vulnerability was identified by:

    +
      +
    • Alvaro Munoz - pwntester at github dot com
      • +
    • Masato Anzai of Aeye Security Lab, inc.
      • +
    + +

    All developers are strongly advised to perform this action.

    +

    06 December 2020 - Struts 2.5.26 General Availability

    The Apache Struts group is pleased to announce that Struts 2.5.26 is available as a “General Availability” diff --git a/output/index.html b/output/index.html index b29b065..2d5adae 100644 --- a/output/index.html +++ b/output/index.html @@ -153,11 +153,11 @@ Version notes

    -

    Security Advice S2-058 released

    +

    Security Advice S2-061 released

    - A number of historic Struts Security Bulletins and related CVE database entries contained incorrect affected release version ranges. + Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Read more in - Announcement + Announcement