From announce-return-4882-archive-asf-public=cust-asf.ponee.io@apache.org Sun Nov 4 16:08:29 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 74760180669 for ; Sun, 4 Nov 2018 16:08:29 +0100 (CET) Received: (qmail 58371 invoked by uid 500); 4 Nov 2018 15:08:25 -0000 Mailing-List: contact announce-help@apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list announce@apache.org Delivered-To: moderator for announce@apache.org Received: (qmail 33107 invoked by uid 99); 4 Nov 2018 09:31:01 -0000 X-Gm-Message-State: AGRZ1gIZgjYO86Hv9soka34MKTis7O+Bx7VN+c0Nyq6JWqctrF9rnVFQ vcVt+k2hs57dgiZR89opyyWBAPk55dA/9D8UiMg= X-Google-Smtp-Source: AJdET5ebTZqzmLfkBnfX//pFh3AgcQMOAbC/DyNzbzngY0PnVBBOsPaYiZfd2sFolWH0u/LQgAvxpNoE9BgwodjgZBg= X-Received: by 2002:a19:cd50:: with SMTP id d77mr628832lfg.125.1541323858389; Sun, 04 Nov 2018 01:30:58 -0800 (PST) MIME-Version: 1.0 From: Lukasz Lenart Date: Sun, 4 Nov 2018 10:30:47 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: [ANN] [SECURITY] Immediately upgrade commons-fileupload to version 1.3.1 when running Struts 2.3.36 To: announce@apache.org, announcements@struts.apache.org, Struts Users Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable The Apache Struts Team recommends to immediately upgrade your Struts 2.3.36 based projects to use the latest released version of Commons FileUpload library, which is currently 1.3.1. This is necessary to prevent your publicly accessible web site from being exposed to possible DoS attacks [1] [2]. Your project is affected if it uses the built-in file upload mechanism of Struts 2, which defaults to the use of commons-fileupload. The updated commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the fixed jar. For Maven based Struts 2 projects, the following dependency needs to be added: commons-fileupload commons-fileupload 1.3.1 More details can be found here: [1] http://commons.apache.org/proper/commons-fileupload/changes-report.html= #a1.3.1 [2] http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52= F373FC.9030907@apache.org%3E on behalf of the Apache Struts Team Regards --=20 =C5=81ukasz + 48 606 323 122 http://www.lenart.org.pl/