From user-return-219146-archive-asf-public=cust-asf.ponee.io@struts.apache.org Mon Nov 5 08:16:07 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id A1005180670 for ; Mon, 5 Nov 2018 08:16:06 +0100 (CET) Received: (qmail 23706 invoked by uid 500); 5 Nov 2018 07:16:05 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 23695 invoked by uid 99); 5 Nov 2018 07:16:05 -0000 Received: from mail-relay.apache.org (HELO mailrelay1-lw-us.apache.org) (207.244.88.152) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Nov 2018 07:16:05 +0000 Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com [209.85.208.176]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 4DA10205 for ; Mon, 5 Nov 2018 07:16:04 +0000 (UTC) Received: by mail-lj1-f176.google.com with SMTP id k19-v6so6997876lji.11 for ; Sun, 04 Nov 2018 23:16:04 -0800 (PST) X-Gm-Message-State: AGRZ1gJcOgzI7pusu5sf26O9X2lYEMtYxc5JyRnMW2kzWM8FMXB+Ft0P ErtYn6eYIB25C5YaKXmK2aXZ6JyRBT2DpCBI0dQ= X-Google-Smtp-Source: AJdET5eOPAD6fQuXrm0RQ06ZSoeGAu3N4JvM+fz25appHuxOuH+tDKxGfh/WPryTaVdz7bwq4w5biXlGjbbub5wgDu8= X-Received: by 2002:a2e:9b15:: with SMTP id u21-v6mr13012171lji.29.1541402162734; Sun, 04 Nov 2018 23:16:02 -0800 (PST) MIME-Version: 1.0 References: <3b9e522e9e574dac92084f2ad7233b90@vrtsxchclupin09.community.veritas.com> In-Reply-To: <3b9e522e9e574dac92084f2ad7233b90@vrtsxchclupin09.community.veritas.com> From: Lukasz Lenart Date: Mon, 5 Nov 2018 08:15:51 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Question Regarding Recent Security Announcement To: Struts Users Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable niedz., 4 lis 2018 o 18:40 David Dillard napisa= =C5=82(a): > 1. Per the Maven repository, Struts 2.3.36 recommends Fileupload 1.3.2= be used, not 1.3.3, so I'm confused about what's stated in the email. What= 's recommended doesn't seem to accomplish what the email states it will. We have overlooked that when we were preparing Struts 2.3.36, this is an easy drop-in dependency. > 2. The recommendation for Fileupload 1.3.2 can be found in the Maven r= epository since Struts 2.3.30, which was released back in July 2016. > 3. This makes sense since the last documented DoS vulnerability in Fil= eupload was fixed in 1.3.2. Here is the original announcement https://struts.apache.org/announce.html#a20180323 Regards --=20 =C5=81ukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org