2016-04-27 1:04 GMT+02:00 Doug Erickson <doug.erick...@part.net>: > On the Struts home page, it says, "We have released two older versions of > Apache Struts which *contain the latest security fixes.* Please read > announcement for* 2.3.20.3* ..." > > Those notes say, "This release addresses *two* potential security > vulnerabilities," and then lists three issues, S2-029, S2-031, and S2-032.
Fixed, it supposed to be "three" > The notes for S2-029 say to use version 2.3.28, and the notes for S2-031 > and S2-032 say to use version 2.3.20*.2. *S2-030 only mentions 2.3.28. Also fixed, there was a bug discovered in 2.3.20.2 and 2.3.20.2 and that's why new versions were released - 2.3.20.3 & 2.3.24.3 > I really appreciate the maintenance of the older releases. Specifically, > changes in OGNL 3.0.13 cause some failures that are hard to find > statically, and perhaps other incompatibilities lurk in newer versions. Yes, that was the main reason to release also two older versions which already use Internal Security Mechanism. The changes in OGNL play nicely with it. > I am safe to take the announcement at face value, and assume that 2.3.20.3 > contains fixes for all known vulnerabilities, disregarding the details of > the bulletins themselves? Is there a plan to provide security updates for > 2.3.20 and 2.3.24? How long will they be supported? Not exactly, S2-030 wasn't addressed in 2.3.20.3 and 2.3.24.3 as we assumed it is a low risk vulnerability and in most cases everybody is using UTF-8 encoding or latest Java version. There is no plans to support 2.3.20.x and 2.3.24.x in the future, we assume that each user should migrate to the latest available version in 2.3.x branch which is 2.3.28.1. 2.3.20.3 & 2.3.24.3 were released as the fix was quite easy and should secure users for long time against possible further RCE attacks (the same as Internal Security Mechanism). And those versions are used the most (I mean 2.3.20 & 2.3.24) based on Maven Central statistics. Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
