This is an automated email from the ASF dual-hosted git repository.
lukaszlenart pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/main by this push:
new 4464fde02 Adds an announcement about S2-068 security bulletin (#284)
4464fde02 is described below
commit 4464fde02e3427c1306b27528feac1e40be8fcf5
Author: Lukasz Lenart <[email protected]>
AuthorDate: Mon Dec 1 16:10:08 2025 +0100
Adds an announcement about S2-068 security bulletin (#284)
* Adds an announcement about S2-068 security bulletin
* Ignores Ruby specific folder
---
.gitignore | 1 +
source/announce-2025.md | 15 +++++++++++++++
source/index.html | 9 ++++-----
3 files changed, 20 insertions(+), 5 deletions(-)
diff --git a/.gitignore b/.gitignore
index 4447f16ab..2899b5fa9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ _site/
.rvm/
Gemfile.lock
.claude/settings.local.json
+.rvm
diff --git a/source/announce-2025.md b/source/announce-2025.md
index d066ef8ce..b178e0209 100644
--- a/source/announce-2025.md
+++ b/source/announce-2025.md
@@ -13,6 +13,21 @@ title: Announcements 2025
Skip to: <a href="announce-2024">Announcements - 2024</a>
</p>
+#### 1 December 2025 - CVE-2025-64775: File leak in multipart request
processing causes disk exhaustion (DoS) {#a20251201}
+
+The Apache Struts group recommends upgrading to Apache Struts version 6.8.0 or
7.1.1 to mitigate potential security
+vulnerability when using [file upload
support](https://struts.apache.org/core-developers/file-upload).
+
+> Please read the Security Bulletin
[S2-068](https://cwiki.apache.org/confluence/display/WW/S2-068) to find more
+> details about this security vulnerability
+
+**All developers are strongly advised to perform this upgrade.**
+
+Should any issues arise with your use of any version of the Struts framework,
please post your comments to the user list,
+and, if appropriate, file [a tracking ticket]({{ site.jira_url }}).
+
+You can download the latest version from our
[download](download.cgi#struts-ga) page.
+
#### 18 October 2025 - Apache Struts version 7.1.1 General Availability
{#a20251018}
The Apache Struts group is pleased to announce that Apache Struts version
7.1.1 is available as a "General Availability"
diff --git a/source/index.html b/source/index.html
index 3b619bc73..90dce9371 100644
--- a/source/index.html
+++ b/source/index.html
@@ -39,14 +39,13 @@ title: Welcome to the Apache Struts project
<a href="{{ site.wiki_url }}/Version+Notes+{{ site.prev_version
}}">Version notes</a>
</div>
<div class="column col-md-4">
- <h2>CVE-2024-53677 File upload logic is flawed</h2>
+ <h2>CVE-2025-64775 File leak in multipart request processing causes
disk exhaustion (DoS)</h2>
<p>
- Upgrade to Apache Struts 6.4.0 at least and migrate to
- the new <a href="core-developers/action-file-upload">Action File
Upload</a> mechanism.
+ Upgrade to Apache Struts 6.8.0 or 7.1.1 to mitigate the
vulnerability.
</p>
<p>
- Read more in <a href="announce-2024#a20241210">Announcement</a> or in
- the Security Bulletin <a href="{{ site.wiki_url }}/S2-067">S2-067</a>
+ Read more in the <a href="announce-2025#a20251201">Announcement</a>
or in
+ the Security Bulletin <a href="{{ site.wiki_url }}/S2-068">S2-068</a>
</p>
</div>
</div>
