struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Dillard <>
Subject Question Regarding Recent Security Announcement
Date Sun, 04 Nov 2018 17:40:03 GMT

An email<>
was recently sent to the Apache Announcements list suggesting that users update to Apache
Struts 2.3.36 in order to update to Apache Commons Fileupload 1.3.3 due to a potential DoS.
 I have a few questions about this:

  1.  Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2 be used<>,
not 1.3.3, so I'm confused about what's stated in the email.  What's recommended doesn't seem
to accomplish what the email states it will.
  2.  The recommendation for Fileupload 1.3.2 can be found in the Maven repository since Struts
2.3.30, which was released back in July 2016.
  3.  This makes sense since the last documented DoS vulnerability in Fileupload was fixed
in 1.3.2.

So, given all of this, can someone explain why this recommendation was made and why now since
the noted issues to have been resolved for a couple of years?



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message